Performance Monitor WordPress Plugin Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Performance Monitor plugin for WordPress, affecting all versions through 1.0.6. The vulnerability arises from inadequate validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This flaw allows unauthenticated attackers to send web requests to arbitrary locations, including internal services, using the Gopher protocol and other potentially harmful protocols. Exploitation of this vulnerability could lead to remote code execution by chaining with services like Redis.

Impact

Exploitation of this vulnerability allows for server-side request forgery, with the potential to access internal services and execute arbitrary code, particularly by leveraging Redis.

Reproduction

To reproduce this vulnerability, send a request to the '/wp-json/performance-monitor/v1/curl_data' endpoint with a crafted 'url' parameter. The request can be made using a tool like Postman or through a simple script that interacts with the WordPress REST API. Once the request is sent, the server will process it and can be coaxed into making requests to internal services via the Gopher protocol, potentially leading to remote code execution.