[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcmAeKvzJvzVxpJzgIRETUQmWXUP36zOJ6uM8l-4K0pU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14610","tablemaster-for-elementor-authenticated-author-server-side-request-forgery-via-csvurl-parameter","TableMaster for Elementor \u003C= 1.3.6 - Authenticated (Author+) Server-Side Request Forgery via 'csv_url' Parameter","The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the 'csv_url' parameter.","tablemaster-for-elementor",null,"\u003C=1.3.6","1.3.7","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2026-01-27 17:21:05","2026-01-28 05:30:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fef07d6b0-ccdb-4b33-817f-6d4b3ad96243?source=api-prod",1,[],"researched",false,3,"Based on the vulnerability description for **CVE-2025-14610**, this is an authenticated (Author+) Server-Side Request Forgery (SSRF) in the **TableMaster for Elementor** plugin. The flaw exists because the plugin fails to validate the `csv_url` parameter when fetching remote data for its Data Table widget.\n\nSince source files were not provided, this plan is based on the vulnerability report and standard Elementor widget implementation patterns.\n\n---\n\n### 1. Vulnerability Summary\nThe **TableMaster for Elementor** plugin allows users to populate tables using remote CSV files. The vulnerability lies in the functionality that handles this \"Remote CSV\" source. An attacker with Author-level permissions (the minimum level required to edit posts\u002Fpages and use Elementor) can provide an arbitrary URL (including internal IPs or local file paths via the `file:\u002F\u002F` protocol) to the `csv_url` parameter. The server then fetches this URL and returns the content, leading to SSRF and potential local file disclosure.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: `wp-admin\u002Fadmin-ajax.php` (standard for Elementor widget data fetching) or an Elementor-specific REST API route.\n*   **Vulnerable Parameter**: `csv_url`\n*   **Authentication**: Required (Author or higher).\n*   **Preconditions**: The plugin must be active, and the attacker must have credentials for a user with the `edit_posts` capability (Author).\n\n### 3. Code Flow (Inferred)\n1.  The user adds a **TableMaster Data Table** widget in the Elementor editor.\n2.  The user selects \"Remote CSV\" as the data source.\n3.  The Elementor editor (or the frontend rendering engine) triggers a request to fetch the CSV data.\n4.  The request is handled by a function (e.g., `fetch_remote_csv` or `get_csv_content`) inside the plugin's widget class (likely `inc\u002Fwidgets\u002Ftable-master-table.php`).\n5.  This function takes the user-supplied `csv_url` and passes it directly to a sink like `wp_remote_get()` or `file_get_contents()` without validating the scheme (e.g., forcing `http\u002Fhttps`) or checking if the host is internal.\n6.  The content of the fetched resource is then processed and potentially displayed or returned in the response.\n\n### 4. Nonce Acquisition Strategy\nElementor-based plugins typically expose nonces via `wp_localize_script` to handle AJAX requests within the editor.\n\n1.  **Identify Shortcode\u002FWidget**: The plugin's functionality is tied to the `TableMaster` Data Table widget.\n2.  **Creation**: Use WP-CLI to create a page containing a placeholder for the widget or just a standard Elementor-enabled page.\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"SSRF Test\" --post_author=$(wp user get author --field=ID)\n    ```\n3.  **Discovery**: Navigate to the Elementor editor as the Author.\n4.  **Extraction**: Use `browser_eval` to find nonces. Look for objects like `tablemaster_ajax_obj` or `tm_settings`.\n    *   **Candidate JS Variables**: `window.tm_editor_config?.nonce`, `window.tm_table_data?.nonce`.\n    *   **Action String**: Likely `tablemaster_fetch_csv` or similar.\n\n*If the vulnerability triggers on the frontend during page render:* No nonce may be required, just the `post_id` and the specific widget configuration.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Authentication\nLogin to the WordPress instance as an **Author** user using the `browser_navigate` tool to establish a session.\n\n#### Step 2: Identification of AJAX Action\nPerform a grep on the plugin directory to find the specific AJAX handler:\n```bash\ngrep -rn \"wp_ajax_\" wp-content\u002Fplugins\u002Ftablemaster-for-elementor\u002F\n```\nLook for actions related to \"csv\" or \"remote\". Let's assume the action is `tm_fetch_remote_csv`.\n\n#### Step 3: Crafting the SSRF Payload\nWe will attempt to read `\u002Fetc\u002Fpasswd` or `wp-config.php` using the `file:\u002F\u002F` protocol.\n\n**Request Template (via `http_request`):**\n*   **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method**: `POST`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```\n    action=tm_fetch_remote_csv&nonce=[EXTRACTED_NONCE]&csv_url=file:\u002F\u002F\u002Fetc\u002Fpasswd\n    ```\n\n#### Step 4: Internal Network Scanning (Alternative)\nIf `file:\u002F\u002F` is blocked but `http:\u002F\u002F` is allowed, attempt to hit the AWS Metadata service (if applicable) or a local service:\n*   **Payload**: `csv_url=http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F`\n*   **Payload**: `csv_url=http:\u002F\u002Flocalhost:80\u002F`\n\n### 6. Test Data Setup\n1.  **User**: Create an author user.\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password123\n    ```\n2.  **Target File**: Ensure a sensitive file exists in the environment (e.g., `\u002Fetc\u002Fpasswd` or the `wp-config.php` file).\n\n### 7. Expected Results\n*   **Success (LFI\u002FSSRF)**: The HTTP response from `admin-ajax.php` will contain the raw contents of `\u002Fetc\u002Fpasswd` or the HTML\u002FResponse from the internal service provided in the `csv_url`.\n*   **Response Code**: `200 OK`.\n*   **Data Format**: Likely JSON or raw text depending on how the plugin handles the CSV \"parsing\" of the fetched content.\n\n### 8. Verification Steps\nAfter the exploit, verify that the content returned matches the expected target file:\n```bash\n# Check if the returned string contains root:x:0:0:\n# or if it contains DB_NAME for wp-config.php\n```\n\n### 9. Alternative Approaches\nIf the `admin-ajax.php` route is not directly accessible or requires complex widget state:\n1.  **Editor Save Injection**:\n    *   Intercept the Elementor \"Save Post\" request.\n    *   Inject the `csv_url` into the widget settings metadata within the `post_content`.\n    *   View the page on the frontend. If the plugin fetches the URL on render, the content might be displayed in the table HTML.\n2.  **Preview Mode**:\n    *   Use the Elementor \"Preview\" feature which often triggers the same data-fetching logic used in the editor but might use different permission checks.\n\n**Note on Sink Identification**: If `grep` shows the plugin uses `wp_remote_get()`, it usually supports various protocols but might be limited by the `WP_Http` class. If it uses `file_get_contents()`, it is highly susceptible to the `file:\u002F\u002F` protocol. If it uses `curl`, check for `CURLOPT_PROTOCOLS` restrictions.","The TableMaster for Elementor plugin fails to validate the 'csv_url' parameter used to fetch remote data for its Data Table widget. This allows authenticated attackers with Author-level permissions to perform Server-Side Request Forgery (SSRF) to access internal network services or read sensitive local files using the file:\u002F\u002F protocol.","\u002F\u002F Likely located in inc\u002Fwidgets\u002Ftable-master-table.php (inferred from plugin structure)\n\npublic function get_remote_csv_data( $settings ) {\n    $csv_url = $settings['csv_url']; \u002F\u002F User-supplied URL from widget settings\n\n    if ( ! empty( $csv_url ) ) {\n        $response = wp_remote_get( $csv_url ); \u002F\u002F Vulnerable Sink: Does not restrict scheme or host\n        \n        if ( ! is_wp_error( $response ) ) {\n            $body = wp_remote_retrieve_body( $response );\n            return $body;\n        }\n    }\n    return false;\n}","--- a\u002Finc\u002Fwidgets\u002Ftable-master-table.php\n+++ b\u002Finc\u002Fwidgets\u002Ftable-master-table.php\n@@ -124,7 +124,15 @@\n-        $response = wp_remote_get( $csv_url );\n+        $response = wp_safe_remote_get( \n+            $csv_url, \n+            array(\n+                'timeout'     => 10,\n+                'redirection' => 0,\n+                'httpversion' => '1.0',\n+                'blocking'    => true,\n+                'headers'     => array(),\n+                'cookies'     => array(),\n+            ) \n+        );","To exploit this vulnerability, an attacker requires Author-level credentials to access the Elementor editor. The attacker navigates to the Elementor page builder for a post\u002Fpage and adds the 'TableMaster Data Table' widget. By selecting 'Remote CSV' as the data source, the attacker can input a malicious URL into the 'csv_url' parameter. For Local File Disclosure, the payload 'file:\u002F\u002F\u002Fetc\u002Fpasswd' or 'file:\u002F\u002F\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php' is used. For internal service scanning, internal IP addresses like 'http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F' are used. When the editor saves the widget or triggers a preview, the server performs the request and returns the content of the targeted resource in the AJAX response or rendered HTML.","gemini-3-flash-preview","2026-05-04 22:39:38","2026-05-04 22:40:01",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.3.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftablemaster-for-elementor\u002Ftags\u002F1.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftablemaster-for-elementor.1.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftablemaster-for-elementor\u002Ftags"]