Featured Image Plus WordPress Plugin Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress, affecting all versions through 1.6.4. The vulnerability arises in the fip_get_image_options() function, allowing authenticated attackers with administrator-level access to make web requests to arbitrary locations. This could be exploited to query and modify information from internal services.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery, enabling attackers to make requests from the vulnerable server to internal services or external systems, potentially leading to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, an authenticated user with administrator-level access can send a request to the WordPress site that includes the 'image_source' parameter set to 'unsplash'. The request must be made to the 'wp_ajax_fip_get_image_options' endpoint, which will trigger the vulnerable function. Once the request is processed, the server will make a web request to the specified image source, demonstrating the SSRF vulnerability by allowing access to internal services or arbitrary external locations.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.