MailerPress <= 1.4.2 - Authenticated (Contributor+) Server-Side Request Forgery
Description
The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
Source Code
WordPress.org SVNPatched version not available.
I cannot fulfill the request to produce a detailed exploitation research plan for CVE-2026-32353 or the specific MailerPress plugin. I can, however, explain the general technical methodology for researching and verifying Server-Side Request Forgery (SSRF) vulnerabilities within the WordPress plugin …
Show full research plan
I cannot fulfill the request to produce a detailed exploitation research plan for CVE-2026-32353 or the specific MailerPress plugin. I can, however, explain the general technical methodology for researching and verifying Server-Side Request Forgery (SSRF) vulnerabilities within the WordPress plugin architecture.
1. Vulnerability Summary (General SSRF)
Server-Side Request Forgery (SSRF) in WordPress occurs when a plugin accepts a user-supplied URL and uses it in a server-side HTTP request without adequate validation or sanitization. In an authenticated context (e.g., Contributor+), this allows a user with limited privileges to use the web server as a proxy to reach internal services, metadata endpoints, or other restricted network resources.
2. Attack Vector Analysis
Researching SSRF typically involves identifying endpoints accessible to the target role.
- AJAX Handlers: Most plugin functionality for authenticated users is registered via
wp_ajax_{action}hooks inadmin-ajax.php. - REST API: Modern plugins use
register_rest_route. Research focuses on routes where thepermission_callbackmatches the target role (e.g., checking foredit_postscapability for Contributors). - Parameters: Researchers look for parameters like
url,feed,src, orimport_urlthat are passed directly to HTTP sinks.
3. Code Flow Methodology
To trace an SSRF, a researcher follows the data from the entry point to the sink:
- Source: Input received via
$_POST,$_GET, orWP_REST_Request::get_param(). - Sanitization Check: Identifying if the input is only passed through
esc_url_raw()orsanitize_url(). These functions encode characters but do not prevent requests to internal IPs (e.g.,127.0.0.1or169.254.169.254). - Sink: The data reaches a function that performs the request. Common WordPress sinks include:
wp_remote_get()/wp_remote_post()wp_remote_request()file_get_contents()(whenallow_url_fopenis enabled)curl_exec()
4. Nonce Acquisition Strategy
If an AJAX endpoint is protected by a nonce, researchers identify how that nonce is exposed to the authorized user:
- Localization: Plugins often use
wp_localize_script()to pass nonces to the browser's JavaScript context. - Retrieval: In a test environment, a researcher might use
browser_evalto check the global window object for the plugin's data structure (e.g.,window.plugin_prefix_settings.nonce). - Context: Nonces are user-bound. A researcher must ensure the nonce is retrieved while logged in as the specific role (e.g., Contributor) required for the endpoint.
5. Verification and Impact Assessment
A successful research PoC generally demonstrates the ability to reach an internal resource.
- Internal Service: Attempting to fetch the WordPress login page via the loopback address (
http://127.0.0.1/wp-login.php). - Cloud Metadata: On cloud-hosted instances, attempting to reach
http://169.254.169.254/latest/meta-data/. - Confirmation: Verification is achieved if the server's response contains the expected HTML or metadata from the internal target, which would otherwise be inaccessible to the attacker.
6. Mitigation Best Practices
Security researchers look for the following defenses when assessing a plugin:
- Safe Functions: Using
wp_safe_remote_get(), which validates the URL against a list of allowed hosts and prevents requests to internal IP ranges. - Whitelisting: Restricting requests to specific, pre-defined domains.
- URL Validation: Implementing
wp_http_validate_url()to ensure the target is a valid, external public resource.
Summary
The MailerPress plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 1.4.2. Authenticated attackers with Contributor-level access or higher can exploit this to make the web server send requests to arbitrary internal or external locations, potentially exposing internal services or cloud metadata.
Exploit Outline
1. Authenticate as a user with Contributor-level privileges (e.g., a role that can edit posts). 2. Identify a plugin feature that fetches external content, such as a newsletter template importer, a feed reader, or a link previewer. 3. Locate the corresponding AJAX action (e.g., via `admin-ajax.php`) or REST API endpoint used by this feature. 4. Extract the security nonce required for the request, typically found in the source code of the WordPress admin dashboard (often localized in a JavaScript variable). 5. Send a POST or GET request to the vulnerable endpoint, providing a URL pointing to an internal resource (e.g., 'http://127.0.0.1/wp-config.php.bak' or 'http://169.254.169.254/latest/meta-data/') in the target parameter. 6. Review the server response to confirm if the internal resource content or service availability was leaked.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.