CVE-2023-7253 – Import WP < 2.13.1 - Admin+ Server-side Request Forgery

https://notcve.org/view.php?id=CVE-2023-7253

The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations. El complemento Import WP WordPress anterior a 2.13.1 no impide que los usuarios con función de administrador hagan ping al realizar ataques SSRF, lo que puede ser un problema en configuraciones multisitio. The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.13.0 via the /wp-json/iwp/v1/importer/$IMPORTERID/upload REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. • https://wpscan.com/vulnerability/aeefcc01-bbbf-4d86-9cfd-ea0f9a85e1a5 • CWE-918: Server-Side Request Forgery (SSRF) •