Share This Image <= 2.14 - Unauthenticated Server-Side Request Forgery
Description
The Share This Image plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=2.14What Changed in the Fix
Changes introduced in v2.15
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-42641 (Share This Image <= 2.14) ## 1. Vulnerability Summary The **Share This Image** plugin for WordPress is vulnerable to **Unauthenticated Server-Side Request Forgery (SSRF)** via its AJAX interface. The vulnerability exists because the plugin registers an …
Show full research plan
Exploitation Research Plan: CVE-2026-42641 (Share This Image <= 2.14)
1. Vulnerability Summary
The Share This Image plugin for WordPress is vulnerable to Unauthenticated Server-Side Request Forgery (SSRF) via its AJAX interface. The vulnerability exists because the plugin registers an AJAX handler (typically wp_ajax_nopriv_sti_get_image_content or a similar action) that accepts a user-provided URL and fetches its content using a WordPress HTTP API function (like wp_remote_get) without sufficient validation of the target host. This allows an unauthenticated attacker to coerce the server into making requests to internal network services or sensitive metadata endpoints (e.g., AWS Instance Metadata Service).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action (inferred):
sti_get_image_contentorsti_short_link - Vulnerable Parameter:
urlorimg_url(inferred) - Authentication: None (vulnerable via
wp_ajax_nopriv_) - Preconditions: The plugin must be active and the corresponding AJAX handler must be registered. A valid nonce is likely required, which is exposed to unauthenticated users on the frontend.
3. Code Flow
- Registration: The plugin (in
includes/admin/class-sti-admin-ajax.php, inferred) registers an unauthenticated AJAX hook:add_action( 'wp_ajax_nopriv_sti_get_image_content', array( $this, 'sti_get_image_content' ) ); - Entry Point: The
sti_get_image_contentmethod is triggered by a POST request toadmin-ajax.php. - Nonce Verification: The handler likely calls
check_ajax_referer( 'sti_nonce', 'nonce' )or similar. Since the plugin enqueues its scripts for unauthenticated visitors, this nonce is publicly accessible. - Sink: The handler takes the
urlparameter and passes it directly towp_remote_get():$url = $_POST['url']; // Insufficiently validated $response = wp_remote_get( $url ); echo wp_remote_retrieve_body( $response ); - Output: The content of the coerced request is returned to the attacker.
4. Nonce Acquisition Strategy
The plugin localizes security tokens in the frontend through the sti_vars object. These are available to any visitor on pages where the plugin's JS is loaded.
- Identify Trigger: The plugin loads
assets/js/sti.json pages containing images or where the "Share This Image" buttons are active. - Environment Setup:
- Create a public post with a standard image:
wp post create --post_type=post --post_status=publish --post_title="SSRF Test" --post_content='<img src="http://example.com/test.jpg">'
- Create a public post with a standard image:
- Extraction:
- Navigate to the newly created post using
browser_navigate. - Use
browser_evalto extract the nonce from the globalsti_varsobject. - JS Key:
window.sti_vars?.nonce(based onassets/js/sti.jslocalizingsti_vars).
- Navigate to the newly created post using
5. Exploitation Strategy
Step 1: Extract the Nonce
Use the automated browser to find the valid nonce for the current session.
- URL:
http://localhost:8080/?p=[POST_ID] - Command:
browser_eval("window.sti_vars.nonce")
Step 2: Perform the SSRF
Send a POST request to the AJAX endpoint targeting an internal service or a local listener.
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=sti_get_image_content(verify exact action name if this fails)nonce=[EXTRACTED_NONCE]url=http://127.0.0.1:80/(or a mock service IP to demonstrate internal access)
Step 3: Verify Data Leakage
Observe the HTTP response body. A successful exploit will return the HTML content or service response from the internal URL provided in the url parameter.
6. Test Data Setup
- Plugin Configuration: Ensure "Share This Image" is activated.
- Mock Target: Start a simple listener or use an existing internal WP page (e.g.,
http://localhost:8080/wp-login.php) as the target for the SSRF to verify the server can "see" itself. - Public Content: Create a post with an image to ensure
sti_varsis localized and enqueued.
7. Expected Results
- The
admin-ajax.phpresponse should have a200 OKstatus. - The response body should contain the content of the target URL (e.g., the HTML source of the
wp-login.phppage if targeted). - If targeting a non-existent internal port, the response may contain a WordPress Error object or a timeout message, confirming the request was attempted.
8. Verification Steps
- Server Logs: Check the access logs of the target internal service (if applicable) to see an incoming request from the WordPress server's IP address.
- Response Inspection: Confirm that the data returned in the AJAX response matches the expected output of the internal service.
9. Alternative Approaches
- Action Discovery: If
sti_get_image_contentis incorrect, search the plugin directory for otherwp_ajax_nopriv_registrations:grep -rn "wp_ajax_nopriv_" includes/ - Shortlink SSRF: Check if the SSRF exists in the shortlink generation feature:
- Action:
sti_short_link - Parameters:
url=[TARGET_URL]
- Action:
- Parameter Fuzzing: If
urlis not the parameter name, tryimg,src,media, orlink(based on identifiers found inassets/js/sti.js).
Summary
The Share This Image plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) in versions up to and including 2.14. This allow attackers to induce the server into making arbitrary web requests to internal or external systems, potentially exposing sensitive information from internal services or metadata endpoints.
Security Fix
@@ -440,6 +440,21 @@ switch( network ) { case "facebook" : + if ( methods.isMobile() ) { + var fbAppUrl = 'fb://share?link=' + encodeURIComponent(data.page); + var webUrl = 'https://www.facebook.com/sharer/sharer.php?u=' + encodeURIComponent(data.page); + var appOpened = false; + var fallbackTimer = setTimeout(function() { + if ( !appOpened ) { window.location.href = webUrl; } + }, 1500); + window.addEventListener('blur', function onBlur() { + appOpened = true; + clearTimeout(fallbackTimer); + window.removeEventListener('blur', onBlur); + }); + window.location.href = fbAppUrl; + return; + } url += 'https://www.facebook.com/sharer/sharer.php?u='; url += encodeURIComponent(data.page); break;
Exploit Outline
The exploit methodology involves two phases. First, an unauthenticated attacker visits any public page where the plugin is active and extracts a valid security nonce from the global JavaScript object 'sti_vars'. Second, the attacker sends an unauthenticated POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) using the action 'sti_get_image_content' (or similar identified handler). By including the extracted nonce and providing an arbitrary URL in a parameter like 'url', the attacker forces the WordPress server to perform a GET request to the specified target and return the response body, enabling the attacker to query internal network resources.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.