Cybersecurity company WPScan and the United States Government National Vulnerability Database have published an advisory about a vulnerability discovered in the HubSpot plugin for WordPress. The vulnerability exposes plugin users to a server-side request forgery attack.
The HubSpot plugin for WordPress
Used by over 200,000 publishers, HubSpot’s free WordPress plugin is one of the most popular plugins on the platform. It provides a website with capabilities related to CRM, live chat, forms, analytics, and email marketing.
It allows you to convert visitors to your website into leads thanks to its live chat, forms or pop-up windows; attract potential customers through a CRM, email marketing or chatbots, and track the evolution of your business with analytics.
The WPScan vulnerability report
WPScan security researchers published the following report:
They explain that the plugin does not validate the proxy URL provided to the proxy endpoint, which could allow users with the edit_posts capability (as default contributor and above) to perform SSRF attacks.
The SSRF vulnerability
The Server Side Request Forgery (SSRF) vulnerability requires a contributor-level subscriber to log in for exposure to occur.
According to the OWASP (Open Web Application Security Project), a worldwide non-profit organization dedicated to cybersecurity, an SSRF vulnerability can cause the exposure of internal services that are not intended to be exposed.
As OWASP explains: “In a server-side request forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can provide or modify a URL to which code running on the server will read or send data, and by carefully selecting the URLs, the attacker can read server configuration such as AWS metadata, connect to internal services such as http-enabled databases or making subsequent requests to internal services that are not intended to be exposed.
The services that are not supposed to be exposed are:
- Cloud server metadata
- Database HTTP Interfaces
- Internal REST interfaces
- Files: Attacker may be able to read files using <file://> URI
The WPScan report indicates that the vulnerability was fixed in version 8.8.15. However, the changelog documenting what was updated in the software shows that the plugin received additional updates to fix other vulnerabilities.
Here is a list of the updates according to the official changelog, in order starting with the oldest update:
Therefore, it would be advisable to update the HubSpot WordPress plugin to at least version 8.9.20. Although the absolute latest version of the plugin, at the time of writing, is version 8.11.0.