Smart Auto Upload Images – Import External Images <= 1.2.2 - Authenticated (Contributor+) Server-Side Request Forgery
Description
The Smart Auto Upload Images – Import External Images plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.2.2What Changed in the Fix
Changes introduced in v1.2.3
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-23803 (Smart Auto Upload Images SSRF) ## 1. Vulnerability Summary The **Smart Auto Upload Images – Import External Images** plugin (<= 1.2.2) is vulnerable to **Authenticated Server-Side Request Forgery (SSRF)**. The plugin's core functionality is to automatic…
Show full research plan
Exploitation Research Plan: CVE-2026-23803 (Smart Auto Upload Images SSRF)
1. Vulnerability Summary
The Smart Auto Upload Images – Import External Images plugin (<= 1.2.2) is vulnerable to Authenticated Server-Side Request Forgery (SSRF). The plugin's core functionality is to automatically detect external image URLs in post content or specified metadata, download them to the local media library, and replace the original URLs. This process involves the server making outbound HTTP requests. The vulnerability exists because the plugin fails to properly validate or restrict the destination of these requests, allowing a user with at least Contributor permissions to force the server to query internal services or arbitrary external locations.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/post.php(via the standard WordPress post save/update flow) or/wp-admin/admin-ajax.php. - Trigger: Saving or updating a post that contains an
<img>tag with a remotesrcattribute. - Authentication: Authenticated, Contributor-level access or higher.
- Payload Location: The
post_contentparameter in a POST request topost.php. - Preconditions: The plugin must be active, and the post type being edited must be one that the plugin is configured to monitor (default includes 'post' and 'page').
3. Code Flow (Inferred from Source/Description)
- Hook Registration: The plugin (
smart-auto-upload-images.php) initializesSmartAutoUploadImages\Services\ImageProcessor. This class likely hooks intosave_postorwp_insert_post_data. - Detection: Upon saving a post,
ImageProcessor::process()(inferred) uses a regular expression to find allsrcattributes of<img>tags in thepost_content. - Validation: The plugin checks if the domain is "external" (not matching the current site's domain) and not in the "Excluded Domains" list.
- The Sink: For each external URL, the plugin calls
SmartAutoUploadImages\Services\ImageDownloader::download()(inferred). - Request Execution: Inside
download(), the plugin useswp_remote_get()or a similar PHP function to fetch the image. Since it does not usewp_safe_remote_get()or perform IP/port blacklisting, an attacker can specify internal IPs (e.g.,127.0.0.1,169.254.169.254) or internal ports.
4. Nonce Acquisition Strategy
To exploit this as a Contributor, we must simulate the post-saving process, which requires a WordPress post nonce.
- Identify Entry Point: Navigate to the "Add New Post" page.
- Create Draft: Create a draft post via
wp-clior a simple POST topost-new.phpto get apost_ID. - Extract Nonces:
- Navigate to
/wp-admin/post.php?post=[post_ID]&action=edit. - Use
browser_evalto extract the required nonces:_wpnonce:document.querySelector('#_wpnonce').value_wp_http_referer:document.querySelector('input[name="_wp_http_referer"]').value
- Navigate to
5. Exploitation Strategy
We will use the standard post-update mechanism to trigger the SSRF.
Step 1: Data Setup
Create a Contributor user and a target post.
wp user create attacker contributor@example.com --role=contributor --user_pass=password
POST_ID=$(wp post create --post_type=post --post_status=draft --post_author=$(wp user get attacker --field=ID) --post_title="SSRF Test" --field=ID)
Step 2: Login and Nonce Extraction
Use the browser to login as the contributor and grab the nonce from the edit page of $POST_ID.
Step 3: Trigger SSRF via Post Content
Perform an HTTP request to update the post content with an "external image" pointing to an internal resource.
Request Details:
- URL:
http://[target]/wp-admin/post.php - Method:
POST - Content-Type:
application/x-www-form-urlencoded - Payload:
action=editpost
post_ID=[POST_ID]
_wpnonce=[NONCE]
_wp_http_referer=/wp-admin/post.php?post=[POST_ID]&action=edit
post_title=SSRF Exploit
post_content=<img src="http://127.0.0.1:80/secret-internal-service" />
publish=Save Draft
Step 4: Out-of-Band (OOB) Testing (Alternative)
If the internal target is blind, use a collaborator/webhook URL:
<img src="https://your-webhook.com/ssrftest" />
6. Test Data Setup
- Internal Target: Set up a dummy service listening on an internal port (e.g., port 80 or 8080) that logs requests.
- Plugin Config: Ensure the plugin is active and "Posts" are enabled in Settings -> Auto Upload Images.
7. Expected Results
- Success: The WordPress server makes an outbound HTTP request to the URL specified in the
srcattribute. - Evidence:
- Access logs of the internal service/webhook will show a request originating from the WordPress server's IP.
- The User-Agent will likely be
WordPress/[version]; [site_url]. - The plugin may attempt to "process" the response as an image. If the target is not an image, it might log an error in
wp-content/debug.logifWP_DEBUGis on.
8. Verification Steps
After the HTTP request, verify if the plugin attempted to download the "image":
- Check the Media Library:
wp media list - Check for newly created attachments associated with
$POST_ID. - Check the post content to see if the URL was replaced:
wp post get [POST_ID] --field=post_content
If the SSRF was successful and the plugin thought it downloaded a file, the URLhttp://127.0.0.1/...will be replaced by a local/wp-content/uploads/...URL.
9. Alternative Approaches
"Featured Image from URL" Vector
The README mentions a "Set from URL" field for featured images.
- Inspect the "Edit Post" page for a field named
smart_aui_external_featured_imageor similar. - If found, submit the internal URL via this field during the
post.phpupdate.
Settings Preview Vector (Contributor+ check needed)
Check if the /smart-aui/v1/preview-pattern REST endpoint accepts a URL for testing patterns.
- Endpoint:
/wp-json/smart-aui/v1/preview-pattern - Method:
POST - Data:
{ "pattern": "%filename%", "url": "http://127.0.0.1/test" }(Verify parameter names inadmin-settings.js).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.