Independent Analytics WordPress Plugin Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Independent Analytics plugin for WordPress, affecting all versions through 2.14.9. The vulnerability arises from a public tracking route that accepts attacker-controlled referrer URL values, combined with a favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation for the tracking route is inadequate, as the signature is publicly accessible and can be exploited by extracting valid signatures. This flaw allows unauthenticated attackers to inject malicious referrer domains, which are then used to make server-side requests to arbitrary hosts, including internal services.

Impact

Exploitation of this vulnerability allows for unauthorized server-side request forgery, where an attacker can manipulate the server to make requests on its behalf, potentially accessing internal services or resources.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/wp-json/iawp/search' endpoint with a crafted 'referrer_url' parameter. The request must include a valid signature, which can be extracted from the public JavaScript of the plugin. Once the malicious referrer_url is injected into the database, the favicon fetcher will trigger a cURL request to the specified domain, completing the SSRF exploitation.

Remediation

Users are advised to update the Independent Analytics WordPress plugin to version 2.14.10 or later.