Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)

What is the "Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)" module?

The "Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)" module is designed to detect a server-side request forgery (SSRF) vulnerability in the Under Construction, Coming Soon & Maintenance Mode plugin for WordPress. This vulnerability has a high severity level and was originally discovered by Akincibor.

Impact

A server-side request forgery (SSRF) vulnerability allows an attacker to make requests from the vulnerable server to other internal or external resources. In the case of this module, the vulnerability exists in the includes/mc-get_lists.php file, where the 'apiKey' POST parameter is used to create an HTTPS URL without proper sanitization. This can lead to unauthorized access to sensitive information or potential attacks on other systems.

How does the module work?

The module works by sending a specific HTTP request to the /wp-admin/admin-ajax.php endpoint of the target WordPress site. The request includes the 'action' parameter set to 'ucmm_mc_api' and the 'apiKey' parameter containing a crafted URL. The vulnerable code in the plugin's includes/mc-get_lists.php file uses the 'apiKey' parameter to create an HTTPS URL without proper sanitization. This URL is then called using cURL, resulting in a server-side request forgery (SSRF) vulnerability.

One example of the HTTP request sent by the module:

POST /wp-admin/admin-ajax.php HTTP/2
Host: <Hostname>
Origin: 
Content-Type: application/x-www-form-urlencoded

action=ucmm_mc_api&apiKey=-<InteractionURL>%2Ftest%2Ftest%2Ftest%3Fkey1%3Dval1%26dummy%3D

The module also includes matching conditions to identify the presence of the vulnerability. In this case, it checks for the presence of the "http" protocol in the response, indicating a successful SSRF attack.