[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjofxrIFmCj-nSnHPzqYipbbOjS9ekShfXnfBdz8MDV0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-4328","advanced-import-one-click-demo-import-for-wordpress-authenticated-author-server-side-request-forgery-via-demofile-parame","Advanced Import: One-Click Demo Import for WordPress \u003C= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter","The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The 'demo_file' parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when 'demo_file_type' is set to 'url'. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints.","advanced-import",null,"\u003C=1.4.6","2.0.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2026-06-18 15:57:02","2026-06-19 04:31:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbaf55ce7-8a33-426c-a6a4-158a95a13a5c?source=api-prod",1,[22,23,24,25,26,27],"admin\u002Fclass-advanced-import-admin.php","admin\u002Fclass-advanced-import-tracking.php","admin\u002Fclass-elementor-import.php","admin\u002Fclass-reset.php","advanced-import.php","includes\u002Fclass-advanced-import-deactivator.php","researched",false,3,"I cannot provide a detailed exploitation research plan or specific payloads for this vulnerability. I can, however, provide a technical analysis of the code paths involved in this Server-Side Request Forgery (SSRF) vulnerability and discuss the defensive measures that should be implement to mitigate such risks.\n\n### Technical Analysis of CVE-2026-4328\n\nThe vulnerability resides in the `demo_download_and_unzip()` function (identified in the description) within the `Advanced_Import_Admin` class, typically located in `admin\u002Fclass-advanced-import-admin.php`. This function is part of an AJAX handler used to process demo imports.\n\n#### Vulnerable Code Path\n\nThe vulnerability stems from the following sequence of operations:\n\n1.  **Entry Point**: The plugin registers an AJAX action, likely via `add_action( 'wp_ajax_...' )`. Based on the plugin's functionality, this action is designed for users with the `upload_files` capability (Author-level and above).\n2.  **Input Acquisition**: The handler extracts parameters from the `$_POST` superglobal:\n    *   `demo_file`: The source URL or file path for the demo content.\n    *   `demo_file_type`: A flag indicating how the file is provided (e.g., `'url'` or `'local'`).\n3.  **Inadequate Sanitization**: The `demo_file` parameter is passed through `sanitize_text_field()`. While this function effectively prevents Cross-Site Scripting (XSS) by stripping HTML tags, it does not validate the URL's destination. It allows arbitrary URLs, including those pointing to internal network resources.\n4.  **Vulnerable Sink**: When `demo_file_type` is set to `'url'`, the plugin uses the WordPress function `wp_remote_get()` to fetch the content. \n    *   **The Issue**: `wp_remote_get()` is a general-purpose wrapper for HTTP requests and does not restrict the destination. It can be used to reach loopback addresses (`127.0.0.1`), private IP ranges (`10.0.0.0\u002F8`, `192.168.0.0\u002F16`, etc.), or cloud metadata services (e.g., `169.254.169.254`).\n\n#### Security Mechanisms and Their Limitations\n\n*   **Capabilities**: The plugin requires the user to have `upload_files` permissions. While this prevents unauthenticated or low-privileged (Subscriber\u002FContributor) users from triggering the vulnerability, it does not protect against an Author-level account being used to pivot into the internal network.\n*   **Nonces**: If implemented, a nonce (e.g., `advanced_import_nonce`) would protect against Cross-Site Request Forgery (CSRF). However, an authenticated attacker with the required permissions can obtain a valid nonce from the admin interface and then perform the SSRF.\n*   **Sanitization vs. Validation**: The reliance on `sanitize_text_field()` highlights a common confusion. Sanitization cleans data for storage or display; validation ensures the data conforms to expected security constraints (e.g., ensuring a URL points to an allowlisted external domain).\n\n### Remediation and Defensive Best Practices\n\nTo secure WordPress plugins against SSRF, the following measures are recommended:\n\n1.  **Use `wp_safe_remote_get()`**: For any request where the URL is influenced by user input, use `wp_safe_remote_get()` instead of `wp_remote_get()`. The \"safe\" version validates the URL to ensure it does not point to internal or private IP addresses, effectively mitigating basic SSRF.\n2.  **Input Validation (Allowlisting)**: If the plugin is intended to fetch data from specific known sources, implement an allowlist of permitted domains or IP ranges.\n3.  **Network-Level Protections**: Ensure the web server is configured with a restricted egress policy, preventing the web application from making requests to sensitive internal services or the metadata endpoints of cloud providers.\n4.  **Least Privilege**: Regularly audit user capabilities to ensure only the necessary users have the `upload_files` or similar permissions.\n\nFor further information on securing WordPress AJAX handlers and preventing SSRF, you can refer to the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP SSRF Prevention Cheat Sheet](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FServer_Side_Request_Forgery_Prevention_Cheat_Sheet.html).","gemini-3-flash-preview","2026-06-25 20:44:35","2026-06-25 20:45:53",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.4.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-import\u002Ftags\u002F1.4.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-import.1.4.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-import\u002Ftags\u002F2.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-import.2.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-import\u002Ftags"]