Zapier for WordPress Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Zapier for WordPress plugin, affecting all versions through 1.5.1. The vulnerability arises in the updated_user() function, allowing authenticated attackers with Subscriber-level access or higher to make web requests to arbitrary locations. This could be exploited to query and modify information from internal services.

Impact

Exploitation of this vulnerability allows for blind Server-Side Request Forgery, where an attacker can make requests from the server to internal or external services, potentially leading to unauthorized information disclosure or modification.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can trigger the updated_user() function. This can be done by updating a user profile, which will invoke the function and send a request to a specified endpoint. The request can be directed to an internal service, allowing the attacker to query or modify information.

Remediation

Users are advised to update the Zapier for WordPress plugin to version 1.5.2 or later, where this vulnerability has been patched.