CVE-2026-22482

IMGspider <= 2.3.12 - Authenticated (Contributor+) Server-Side Request Forgery

mediumServer-Side Request Forgery (SSRF)
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The IMGspider – 图片采集抓取插件 plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.12. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.3.12
PublishedJanuary 6, 2026
Last updatedJanuary 14, 2026
Affected pluginimgspider
Research Plan
Unverified

This research plan targets **CVE-2026-22482**, an authenticated SSRF vulnerability in the **IMGspider** plugin. Since source files are not provided, this plan focuses on identifying the specific AJAX/REST entry points used for image "spidering" or "crawling" which are common in this plugin's functio…

Show full research plan

This research plan targets CVE-2026-22482, an authenticated SSRF vulnerability in the IMGspider plugin. Since source files are not provided, this plan focuses on identifying the specific AJAX/REST entry points used for image "spidering" or "crawling" which are common in this plugin's functional domain.


1. Vulnerability Summary

The IMGspider plugin (slug: imgspider) is designed to crawl and grab images from external URLs. The vulnerability exists because the plugin fails to properly validate or sanitize the target URL provided by an authenticated user (Contributor+) before performing a server-side request. An attacker can supply internal IP addresses (e.g., 127.0.0.1, 169.254.169.254) or internal hostnames to scan ports or access sensitive internal metadata services.

2. Attack Vector Analysis

  • Endpoint: Likely an AJAX handler registered via wp_ajax_ or a REST API route registered via register_rest_route.
  • Authentication: Contributor level (can access wp-admin but restricted permissions).
  • Vulnerable Parameter: A parameter typically named url, src, or link (inferred).
  • Preconditions: The attacker must be logged in as a Contributor or higher.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX action for fetching remote content (e.g., wp_ajax_imgspider_fetch or wp_ajax_imgspider_get_images).
  2. Input: The handler function retrieves a URL from $_POST['url'] or $_GET['url'].
  3. Lack of Validation: The code may check if the user is logged in but fails to restrict the URL to public/remote schemes and non-internal IP ranges.
  4. Sink: The URL is passed directly to a WordPress HTTP function like wp_remote_get(), wp_remote_post(), or a PHP function like file_get_contents() or curl_exec().
  5. Response: The server fetches the content and often returns it (or metadata about it) to the user.

4. Nonce Acquisition Strategy

Contributors can access the WordPress dashboard. The plugin likely enqueues a script in the post editor or its own settings page that contains a nonce.

  1. Identify the Script/Nonce: Search the plugin code for wp_localize_script.
    • Search command: grep -r "wp_localize_script" wp-content/plugins/imgspider/
  2. Create a Triggering Post:
    • wp post create --post_type=post --post_status=publish --post_author=[CONTRIBUTOR_ID] --post_title="SSRF Test"
  3. Extract via Browser:
    • Log into the browser as the Contributor.
    • Navigate to the edit page of the newly created post.
    • Use browser_eval to find the nonce in the global JS object.
    • Probable Variable: window.imgspider_obj?.nonce or window.img_spider_vars?.security.

5. Exploitation Strategy

The goal is to force the server to request an internal resource.

  • Step 1: Identify the AJAX Action.
    Run: grep -r "wp_ajax_" wp-content/plugins/imgspider/ to find the handler. Let's assume the action is imgspider_crawl.
  • Step 2: Prepare the Payload.
    Target internal resources:
    • Localhost: http://127.0.0.1:80
    • AWS Metadata: http://169.254.169.254/latest/meta-data/
  • Step 3: Send the Request.
    Use the http_request tool to simulate the AJAX call.

Sample HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [Contributor Cookies]

action=imgspider_crawl&url=http://127.0.0.1:80&_ajax_nonce=[NONCE]

6. Test Data Setup

  1. Install Plugin: Ensure imgspider version <= 2.3.12 is installed.
  2. Create User:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  3. Local "Internal" Service: Start a simple listener on a port not exposed to the public (e.g., port 8000) inside the environment to verify the SSRF hit.
    python3 -m http.server 8000 &

7. Expected Results

  • Success: The response from admin-ajax.php contains the HTML/content of the internal service (the Python file listing or AWS metadata) OR the timing of the response indicates a successful connection to an open internal port versus a closed one.
  • Confirmation: If the plugin "grabs" images, it might return a list of "found" images from the internal page.

8. Verification Steps

  1. Check Server Logs: Inspect the logs of the internal Python listener (python3 -m http.server 8000) to see the incoming request from the WordPress server's IP.
  2. Database Check: If the plugin saves the "crawled" content, check the wp_posts or wp_options table:
    wp db query "SELECT post_content FROM wp_posts WHERE post_title LIKE '%spider%'"

9. Alternative Approaches

If no AJAX action is found:

  • Check REST API: Search for register_rest_route. The payload would then be a POST or GET request to /wp-json/imgspider/v1/....
  • Check Shortcodes: If the plugin processes URLs via a shortcode during post preview/save, use wp post create with a payload like [imgspider url="http://127.0.0.1:80"] and view the post.
  • Settings Page SSRF: Check if the plugin has a "test connection" or "import from URL" feature in its admin settings page (/wp-admin/admin.php?page=imgspider). Contributors might have access to specific sub-pages if the capability check is weak (e.g., edit_posts instead of manage_options).
Research Findings
Static analysis — not yet PoC-verified

Summary

The IMGspider plugin for WordPress (<= 2.3.12) is vulnerable to authenticated Server-Side Request Forgery (SSRF) via its image crawling functionality. This allows authenticated attackers with Contributor-level access or higher to perform web requests to arbitrary internal or external locations, potentially exposing sensitive internal services or cloud environment metadata.

Exploit Outline

To exploit this vulnerability, an attacker with Contributor-level authentication identifies the AJAX action used by the plugin for image crawling (e.g., imgspider_crawl). The attacker first obtains a security nonce, which is typically localized in the WordPress admin dashboard's JavaScript variables (e.g., window.imgspider_obj.nonce). They then send a POST request to /wp-admin/admin-ajax.php containing the action, the valid nonce, and a url parameter. By setting the url to an internal resource (such as http://127.0.0.1:80 or http://169.254.169.254/latest/meta-data/), the attacker forces the server to fetch content from that location and return it in the response.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.