Ditty WordPress Plugin Unauthenticated Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Ditty WordPress plugin, affecting versions prior to 3.1.58. The vulnerability arises because the plugin's displayItems endpoint lacks proper authorization and authentication, allowing unauthenticated users to send requests to arbitrary URLs. Although version 3.1.57 attempted to address this issue by introducing a nonce check, authenticated users, such as subscribers, can still retrieve the nonce and exploit the vulnerability.

Impact

Exploitation of this vulnerability allows for unauthenticated server-side request forgery, where an attacker can manipulate the server to make requests on its behalf, potentially accessing internal resources or services.

Reproduction

To reproduce this vulnerability, send a POST request to the '/wp-json/dittyeditor/v1/displayItems' endpoint without authentication. Include a payload in the request that specifies a URL in the 'html' field, such as a local address or a service running on a specific port. The server will process the request and fetch the specified URL, demonstrating the SSRF vulnerability.

Remediation

Users are advised to update the Ditty WordPress plugin to version 3.1.58 or later.