CVE-2026-42641

Share This Image <= 2.14 - Unauthenticated Server-Side Request Forgery

highServer-Side Request Forgery (SSRF)
7.2
CVSS Score
7.2
CVSS Score
high
Severity
2.15
Patched in
89d
Time to patch

Description

The Share This Image plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.14
PublishedFebruary 13, 2026
Last updatedMay 12, 2026
Affected pluginshare-this-image

What Changed in the Fix

Changes introduced in v2.15

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-42641 (Share This Image <= 2.14) ## 1. Vulnerability Summary The **Share This Image** plugin for WordPress is vulnerable to **Unauthenticated Server-Side Request Forgery (SSRF)** via its AJAX interface. The vulnerability exists because the plugin registers an …

Show full research plan

Exploitation Research Plan: CVE-2026-42641 (Share This Image <= 2.14)

1. Vulnerability Summary

The Share This Image plugin for WordPress is vulnerable to Unauthenticated Server-Side Request Forgery (SSRF) via its AJAX interface. The vulnerability exists because the plugin registers an AJAX handler (typically wp_ajax_nopriv_sti_get_image_content or a similar action) that accepts a user-provided URL and fetches its content using a WordPress HTTP API function (like wp_remote_get) without sufficient validation of the target host. This allows an unauthenticated attacker to coerce the server into making requests to internal network services or sensitive metadata endpoints (e.g., AWS Instance Metadata Service).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action (inferred): sti_get_image_content or sti_short_link
  • Vulnerable Parameter: url or img_url (inferred)
  • Authentication: None (vulnerable via wp_ajax_nopriv_)
  • Preconditions: The plugin must be active and the corresponding AJAX handler must be registered. A valid nonce is likely required, which is exposed to unauthenticated users on the frontend.

3. Code Flow

  1. Registration: The plugin (in includes/admin/class-sti-admin-ajax.php, inferred) registers an unauthenticated AJAX hook:
    add_action( 'wp_ajax_nopriv_sti_get_image_content', array( $this, 'sti_get_image_content' ) );
  2. Entry Point: The sti_get_image_content method is triggered by a POST request to admin-ajax.php.
  3. Nonce Verification: The handler likely calls check_ajax_referer( 'sti_nonce', 'nonce' ) or similar. Since the plugin enqueues its scripts for unauthenticated visitors, this nonce is publicly accessible.
  4. Sink: The handler takes the url parameter and passes it directly to wp_remote_get():
    $url = $_POST['url']; // Insufficiently validated
    $response = wp_remote_get( $url );
    echo wp_remote_retrieve_body( $response );
    
  5. Output: The content of the coerced request is returned to the attacker.

4. Nonce Acquisition Strategy

The plugin localizes security tokens in the frontend through the sti_vars object. These are available to any visitor on pages where the plugin's JS is loaded.

  1. Identify Trigger: The plugin loads assets/js/sti.js on pages containing images or where the "Share This Image" buttons are active.
  2. Environment Setup:
    • Create a public post with a standard image:
      wp post create --post_type=post --post_status=publish --post_title="SSRF Test" --post_content='<img src="http://example.com/test.jpg">'
  3. Extraction:
    • Navigate to the newly created post using browser_navigate.
    • Use browser_eval to extract the nonce from the global sti_vars object.
    • JS Key: window.sti_vars?.nonce (based on assets/js/sti.js localizing sti_vars).

5. Exploitation Strategy

Step 1: Extract the Nonce

Use the automated browser to find the valid nonce for the current session.

  • URL: http://localhost:8080/?p=[POST_ID]
  • Command: browser_eval("window.sti_vars.nonce")

Step 2: Perform the SSRF

Send a POST request to the AJAX endpoint targeting an internal service or a local listener.

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    • action=sti_get_image_content (verify exact action name if this fails)
    • nonce=[EXTRACTED_NONCE]
    • url=http://127.0.0.1:80/ (or a mock service IP to demonstrate internal access)

Step 3: Verify Data Leakage

Observe the HTTP response body. A successful exploit will return the HTML content or service response from the internal URL provided in the url parameter.

6. Test Data Setup

  1. Plugin Configuration: Ensure "Share This Image" is activated.
  2. Mock Target: Start a simple listener or use an existing internal WP page (e.g., http://localhost:8080/wp-login.php) as the target for the SSRF to verify the server can "see" itself.
  3. Public Content: Create a post with an image to ensure sti_vars is localized and enqueued.

7. Expected Results

  • The admin-ajax.php response should have a 200 OK status.
  • The response body should contain the content of the target URL (e.g., the HTML source of the wp-login.php page if targeted).
  • If targeting a non-existent internal port, the response may contain a WordPress Error object or a timeout message, confirming the request was attempted.

8. Verification Steps

  1. Server Logs: Check the access logs of the target internal service (if applicable) to see an incoming request from the WordPress server's IP address.
  2. Response Inspection: Confirm that the data returned in the AJAX response matches the expected output of the internal service.

9. Alternative Approaches

  • Action Discovery: If sti_get_image_content is incorrect, search the plugin directory for other wp_ajax_nopriv_ registrations:
    grep -rn "wp_ajax_nopriv_" includes/
  • Shortlink SSRF: Check if the SSRF exists in the shortlink generation feature:
    • Action: sti_short_link
    • Parameters: url=[TARGET_URL]
  • Parameter Fuzzing: If url is not the parameter name, try img, src, media, or link (based on identifiers found in assets/js/sti.js).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Share This Image plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) in versions up to and including 2.14. This allow attackers to induce the server into making arbitrary web requests to internal or external systems, potentially exposing sensitive information from internal services or metadata endpoints.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/share-this-image/2.14/assets/js/sti.js /home/deploy/wp-safety.org/data/plugin-versions/share-this-image/2.15/assets/js/sti.js
--- /home/deploy/wp-safety.org/data/plugin-versions/share-this-image/2.14/assets/js/sti.js	2026-04-21 11:11:04.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/share-this-image/2.15/assets/js/sti.js	2026-04-27 11:42:52.000000000 +0000
@@ -440,6 +440,21 @@
 				switch( network ) {
 				
 					case "facebook" :
+						if ( methods.isMobile() ) {
+							var fbAppUrl = 'fb://share?link=' + encodeURIComponent(data.page);
+							var webUrl = 'https://www.facebook.com/sharer/sharer.php?u=' + encodeURIComponent(data.page);
+							var appOpened = false;
+							var fallbackTimer = setTimeout(function() {
+								if ( !appOpened ) { window.location.href = webUrl; }
+							}, 1500);
+							window.addEventListener('blur', function onBlur() {
+								appOpened = true;
+								clearTimeout(fallbackTimer);
+								window.removeEventListener('blur', onBlur);
+							});
+							window.location.href = fbAppUrl;
+							return;
+						}
                         url += 'https://www.facebook.com/sharer/sharer.php?u=';
                         url += encodeURIComponent(data.page);
 					break;

Exploit Outline

The exploit methodology involves two phases. First, an unauthenticated attacker visits any public page where the plugin is active and extracts a valid security nonce from the global JavaScript object 'sti_vars'. Second, the attacker sends an unauthenticated POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) using the action 'sti_get_image_content' (or similar identified handler). By including the extracted nonce and providing an arbitrary URL in a parameter like 'url', the attacker forces the WordPress server to perform a GET request to the specified target and return the response body, enabling the attacker to query internal network resources.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.