UsersWP Server-Side Request Forgery Vulnerability via 'uwp_crop' Parameter

A blind server-side request forgery vulnerability has been identified in the UsersWP WordPress plugin, specifically in versions through 1.2.58. The issue arises from inadequate validation of URL origins in the 'process_image_crop' method, which handles cropping operations for avatars and banners. The method accepts user-controlled URLs through the 'uwp_crop' POST parameter, but only applies basic sanitization and file type checks. Crucially, it does not ensure that the URL points to a local uploads file. This oversight allows authenticated attackers with subscriber-level access or higher to manipulate the WordPress server into making arbitrary HTTP requests to external or internal network destinations, potentially scanning internal networks or accessing sensitive services.

Impact

Exploitation of this vulnerability could lead to unauthorized HTTP requests being made from the WordPress server to external or internal destinations, allowing attackers to scan internal networks or access sensitive services.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access can send a POST request to the server with a crafted 'uwp_crop' parameter. This parameter should include a URL that the attacker controls or an internal URL. The 'process_image_crop' method will then be invoked, and the server will make an outbound HTTP request to the specified URL, effectively carrying out the server-side request forgery.

Remediation

Users are advised to update the UsersWP plugin to version 1.2.59 or later, where this vulnerability has been patched.