Description

WordPress Plugin All in One Social Lite is prone to a server-side request forgery vulnerability. An attacker may leverage this issue to make the vulnerable server perform port scanning of hosts in internal or external networks; other attacks are also possible. WordPress Plugin All in One Social Lite version 1.0 is vulnerable.

Remediation

Edit the source code to ensure that input is properly validated or disable the plugin until a fix is available

References

https://codevigilant.com/disclosure/wp-plugin-all-in-one-social-lite-ssrfxspa/

Related Vulnerabilities

WordPress Plugin WP OAuth Server (OAuth Authentication) Cross-Site Scripting (4.2.1)

Jolokia Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-0168)

Drupal Improper Input Validation Vulnerability (CVE-2013-6389)

WordPress Plugin Social Essentials-Social Stats and Sharing Buttons Cross-Site Scripting (1.3.1)

Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0096)

Severity

High

Classification

CWE-918 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update SSRF