



A vulnerability in the Google Web Stories plugin for WordPress is exploited via a server-side request forgery (SSRF) vulnerability to steal Amazon Web Services (AWS) metadata from sites hosted on AWS servers There is a possibility. That metadata may contain sensitive information such as AccessKeyId, SecretAccessKey, and Token.

The SSRF vulnerability allows an attacker to elevate privileges on a compromised system using a malformed URL to gain access to internal resources.

The Web Stories plugin is an open visual storytelling format for the web, consisting of animations and other interactive graphics that can be shared and embedded across sites and apps. The plugin has over 100,000 active installs.

The Wordfence research team found that the plugin is vulnerable to an SSRF bug (CVE-2022-3708) in versions up to 1.24.0. This is due to insufficient validation of the URL provided via the ‘url’ parameter found via /v1/hotlink/. Proxy REST API endpoint.

“Exploiting this vulnerability allows an authenticated user to send web requests to arbitrary locations from a web application,” wrote Wordfence Threat Intelligence team member Topher Tebow in a Dec. 21 blog post. increase.

He added that in testing, the team was able to uncover certain metadata used to enable features like EC2 Instance Connect. It may use stolen metadata to log into the virtual server and execute commands through the terminal.

Researchers say this is just the tip of the iceberg.

The team discovered this vulnerability in October and by the end of November updated two code blocks to fully fix the plugin vulnerability.

“After patching version 1.25.0, attempts to retrieve AWS metadata will fail,” explains Tebow.

He added that the issue particularly threatens sites with open registration, as attacks can be successful against users logged in with accounts with minimal privileges, such as subscribers.

“Authenticated users do not require elevated privileges to exploit this vulnerability,” Tebow continued.

Limit SSRF vulnerabilities with Zero Trust

“It’s important for developers to understand the impact of vulnerabilities such as the SSRF vulnerability,” Tebow wrote. “Keeping code secure during development can be difficult, so you should test your code for vulnerabilities during and after it’s written.”

Developers are advised to pay close attention to coding practices related to the vulnerabilities inherent in each programming language, ensure all input is validated, and adopt a Zero Trust certification posture. rice field.

“Internal and external resources may be configured to assume that requests originating from internal locations are inherently trustworthy, which can lead to SSRF vulnerabilities,” Tebow said. said Mr. “By requiring validation and approval for all actions, this default trust is removed and requests must be properly validated before they can be considered trusted.”

Other steps developers can take to limit abuse of websites built with WordPress include ongoing code reviews and updating WordPress plugins and themes.

WordPress Sites Face Many Security Issues

Malicious actors have been rapidly targeting WordPress sites since the beginning of the year, primarily through vulnerable plugins. A bug in a widely used plugin called Essential Addons for Elementor.

In May, a widespread attack was launched exploiting a known RCE flaw in the Tatsu Builder WordPress plugin, and two months later, researchers injected malware into legitimate WordPress sites to launch fake PayPal-branded social media accounts. I found a phishing kit that uses an engineering scam. .

Recently, a threat group called SolarMarker exploited a vulnerable website running WordPress to trick victims into downloading fake Chrome browser updates. Another threat actor was actively exploiting a critical vulnerability in his BackupBuddy WordPress plugin. Used for installation backups.

