XZ

Xiao Z's blog

Learn, build, share

Fixing WordPress SSRF and Directory Traversal Vulnerabilities

wordpress vulnerabilityssrf vulnerabilitydirectory traversalwordpress security fixalibaba cloud shield
Published·Modified·

Recently, Alibaba Cloud has been sending frequent SMS alerts indicating vulnerabilities on websites. To view detailed information and fix these issues via the backend Cloud Shield, one must upgrade to the professional version. For those unable to afford the professional edition, searching online for solutions is the only option.

WordPress Improper IP Validation Vulnerability

Vulnerability Description: The wp_http_validate_url function in the /wp-includes/http.php file of WordPress has improper input IP validation. This allows attackers to construct malformed IPs (e.g., 012.10.10.10) to bypass validation and perform Server-Side Request Forgery (SSRF).

Fix Solution:

  1. Locate the file /wp-includes/http.php.
  2. Around line 465, find the following code:
$same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );

Replace it with:

if ( isset( $parsed_home['host'] ) ) { $same_host = ( strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ) || 'localhost' === strtolower( $parsed_url['host'] ) ); } else { $same_host = false; } ;
  1. Around line 478, find the following code:
if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]

Modify it to:

if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]  || 0 === $parts[0]

Arbitrary Directory Traversal in WordPress Backend Plugin Update Module Causing DoS

Vulnerability Description: In the WordPress backend file /wp-admin/includes/ajax-actions.php, the input parameter plugin for the code plugin path is not correctly normalized or escaped. This allows attackers to pass special paths, resulting in a Denial of Service (DoS).

Fix Solution:

  1. Locate the file /wp-admin/includes/ajax-actions.php.
  2. Around line 2890, find the following code:
$plugin = urldecode( $_POST['plugin'] );

Add the following line to sanitize the input:

$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );

Finally, re-verify the vulnerability in the Alibaba Cloud Shield console. For reference, see the official fix summary: Alibaba Cloud Host WordPress Vulnerability Official Fix Summary.