Skip to content

Server Side Request Forgery (SSRF)


This article covers cases of possible SSRF on WordPress. This includes improper URL fetch handling inside of the plugin/theme which can be used to perform unauthorized actions or access to data within the organization. This can be in the vulnerable application, or on other back-end systems that the application can communicate with.

Useful Functions

Several functions could be useful to identify a possible SSRF vulnerability:

Example Cases

Below is an example of vulnerable code:

add_action("wp_ajax_nopriv_fetch_image_url", "fetch_image_url");
function fetch_image_url(){
$response = wp_remote_get($_GET["image_url"]);
$image_data = wp_remote_retrieve_body($response);
echo $image_data;

To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php endpoint specifying the needed parameter to trigger the wp_remote_get function.

Terminal window
curl <WORDPRESS_BASE_URL>/wp-admin/admin-ajax.php?action=fetch_image_url&image_url=<LOCAL_SERVICE_ON_THE_SERVER_OR_NETWORK>

Below are some of the findings related to SSRF: