WP Import – Ultimate CSV XML Importer for WordPress Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the WP Import – Ultimate CSV XML Importer for WordPress plugin, affecting all versions through 7.35. The vulnerability arises from insufficient validation of URLs after following Bitly shortlink redirects in the 'upload_function()' method. While the initial URL is validated, the final destination URL is not re-validated after following the redirect. This flaw allows authenticated attackers with Contributor-level access or higher to make the server send HTTP requests to arbitrary internal endpoints, such as localhost, private IP ranges, and cloud metadata services, potentially exposing sensitive internal data.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal endpoints, allowing for the retrieval of sensitive data from services like cloud metadata APIs.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can upload a file from a URL that is a Bitly shortlink. The 'upload_function()' will follow the redirect to the final URL without re-validating it, allowing the server to make requests to internal endpoints.

Remediation

Users are advised to update the WP Import – Ultimate CSV XML Importer for WordPress plugin to version 7.36 or a newer patched version.