Skip to content

Instantly share code, notes, and snippets.

@Xib3rR4dAr

Xib3rR4dAr/avada_7.11.6_contributor_ssrf.md Secret

Created March 2, 2024 23:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Xib3rR4dAr/55d41870c7ce0e95f454d00100bc10dc to your computer and use it in GitHub Desktop.
Save Xib3rR4dAr/55d41870c7ce0e95f454d00100bc10dc to your computer and use it in GitHub Desktop.
Download ZIP
Avada <= 7.11.6 Contributor+ SSRF
Raw
avada_7.11.6_contributor_ssrf.md

Avada <= 7.11.6 Contributor+ SSRF

Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)

Description

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Blind SSRF in versions up to, and including, 7.11.6. This makes it possible for authenticated attackers with contributor-level and above permissions to send requests to arbitrary hosts/urls with custom HTTP verb and headers.

Steps from Author:

  1. Login as author
  2. Visit http://example.com/wp-admin/admin.php?page=avada-forms
  3. Enter any name for form and click "Create New Form"
  4. In editor, "Text" tab would already be selected, if not then click "Text" tab and paste:
[fusion_form_submit]SubmitSSRF[/fusion_form_submit]
  1. Click "Submission" tab at bottom
  2. Click "AJAX" as "Submission Type"
  3. In "Action" textarea, click and select "Send to URL"
  4. Click pen button, set "Form submission URL" to any internal host URL along with custom GET parameters (POST params might also be appendable using form fields), click "Add Header" to add custom header along with custom value
  5. While frontend only shows HTTP verbs as POST/GET, but it can be changed to HEAD/PUT/DELETE also by modifying _fusion[url_method]= to specified verb in request to /wp-admin/post.php when "Update" button is clicked.
  6. Click "Update" and notice form id from URL (post={form_id})
  7. Visit http://example.com/wp-admin/post-new.php to create a new post
  8. Enter any title for post
  9. In editor, "Text" tab would already be selected, if not then click "Text" tab and paste (replace form_post_id value with created form):
[fusion_form form_post_id="123" /]
  1. Click "Publish"
  2. Visit permalink of form shown below the title
  3. SSRF will trigger now when any user or author user himself visits the form and submits the form by clicking "SubmitSSRF"

Issue can also be exploited by contributor user but would require high privileged user to approve the form and post.

Detection

Endpoint: /wp-admin/post.php
Parameter _fusion[action] contains internal host.

Fix

Admin users can add whitelisted hosts to where forms can be sent. Also, use wp_safe_remote_request instead of wp_remote_request in wp-content/plugins/fusion-builder/inc/class-fusion-form-submit.php on line #321.

Screenshots

image

image

image

image

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment