Credential-Stealing Server Side Request Forgery Patched in Getwid

On April 6, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities in Getwid – Gutenberg Blocks, a plugin installed on over 50,000 WordPress sites. The plugin’s developers responded immediately, and we sent over the full disclosure the same day. A patched version of the plugin, 1.8.4, was released on April 13, 2023.

The most serious vulnerability had a high severity because it allows authenticated users to perform Server Side Request Forgery (SSRF), which can result in full access to the hosted instance on some cloud configurations. Additionally, it may allow further penetration into internal networks in some enterprise configurations. The other vulnerability is much lower in severity and allows authenticated users to clear and update the site’s template cache.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against the Server Side Request Forgery (SSRF) on April 6, 2023. Wordfence Free users received the same protection on May 6, 2023.

Vulnerability Summary from Wordfence Intelligence

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the get_remote_content REST API endpoint in versions up to, and including, 1.8.3. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the get_remote_templates function in versions up to, and including, 1.8.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to flush the remote template cache. Cached template information can also be accessed via this endpoint but these are not considered sensitive as they are publicly accessible from the developer’s site.

Technical Analysis

Getwid – Gutenberg Blocks is a plugin offering a library of pre-generated blocks which it makes available to plugin users and retrieves remotely from the developer’s server. Unfortunately, this remote retrieval functionality, which utilized the REST API, only required an authenticated user in vulnerable versions, meaning that even subscriber-level users could make use of it.

While the rest routes for both vulnerabilities used a capability check in the permissions_check function, the capability checked was read, which all users, even subscribers, are assigned.

Pictured: The REST API Endpoints and the permissions_check function

On its own this was not a significant issue, but the get_remote_content function also failed to validate the URL passed in, meaning it could be used to retrieve information from any location via the server.

Pictured: The get_remote_content function

Only GET requests can be performed and the response data will only be rendered if it is JSON-formatted. However, sites hosted on Amazon AWS EC2 instances all have an endpoint which can be accessed internally and returns JSON-formatted credentials that can be used to access the instance.

Pictured: EC2 Credentials on a test box retrieved using this exploit. Click on the image to see it at full size

Sites running on AWS EC2 instances using IMDS (Instance Metadata Service) version 1 are vulnerable to this attack, while IMDSv2 offers preventative measures that prevent successful exploitation.

The second issue was significantly less severe and made use of the minimal capability check on the ‘get_remote_templates’ function. While this would likely have minimal impact on a site, it still compromises the site’s integrity to some extent.

Disclosure Timeline

April 6, 2023 – The Wordfence Threat Intelligence team releases a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response users and begins the responsible disclosure process. We send over the full disclosure to the developers.
April 13, 2023 – The plugin developers release a patch in version 1.8.4 of Getwid.
May 6, 2023 – Wordfence Free users receive the firewall rule.

Conclusion

In this blog post, we detailed a Server Side Request Forgery (SSRF) vulnerability in Getwid version 1.8.3 and earlier. This vulnerability allows authenticated attackers with subscriber-level permissions or higher to send arbitrary GET requests from the website, which can be used to obtain critically sensitive information in some configurations. We also described a lower-severity vulnerability allowing subscribers to clear the local template cache.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting the SSRF vulnerability on April 6, 2023. Sites still using the free version of Wordfence received the same protection on May 6, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as the SSRF vulnerability poses a significant risk. If you or someone you know is hosted on AWS we also highly recommend migrating to IMDSv2 if you have not already, as it offers protection from not only this but the vast majority of SSRF vulnerabilities.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.