Headline
CVE-2023-3958: Changeset 2953845 for wp-remote-users-sync – WordPress Plugin Repository
The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the ‘notify_ping_remote’ AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. This was partially patched in version 1.2.12 and fully patched in version 1.2.13.
Timestamp:
08/15/2023 01:59:03 PM (15 hours ago)
frogerme
Message:
v1.2.13
Location:
wp-remote-users-sync/trunk
Files:
- inc/api/class-wprus-api-abstract.php (1 diff)
- readme.txt (1 diff)
- wprus.php (1 diff)
Legend:
Unmodified
Added
Removed
wp-remote-users-sync/trunk/inc/api/class-wprus-api-abstract.php
r2946667
r2953845
879
879
'token' => $this->get\_token( $url, $data\['username'\], 'post' ),
880
880
);
881
$response = wp\_remote\_post(
881
$response = wp\_safe\_remote\_post(
882
882
trailingslashit( $url ) . 'wprus/' . trailingslashit( $endpoint ),
883
883
array(
wp-remote-users-sync/trunk/readme.txt
r2946667
r2953845
169
169
More help can be found on <a href="https://wordpress.org/support/plugin/wp-remote-users-sync/">the WordPress support forum</a> for general inquiries and on <a href="https://github.com/froger-me/wp-remote-users-sync">Github</a> for advanced troubleshooting.
170
170
171
Help is provided for general enquiries and bug fixes only: feature requests, extra integration or conflict resolution with third-party themes or plugins, and specific setup troubleshooting requests will not be addressed (Webiste administrators must cont).
171
Help is provided for general enquiries and bug fixes only: feature requests, extra integration or conflict resolution with third-party themes or plugins, and specific setup troubleshooting requests will not be addressed (Website administrators must contact a third-party developer).
172
172
173
173
\== Changelog ==
174
175
\= 1.2.13 =
176
\* Use \`wp\_safe\_remote\_post\` instead of \`wp\_remote\_post\`
174
177
175
178
\= 1.2.12 =
wp-remote-users-sync/trunk/wprus.php
r2946667
r2953845
4
4
Plugin URI: https://github.com/froger-me/wp-remote-users-sync
5
5
Description: Synchronise WordPress Users across Multiple Sites.
6
Version: 1.2.12
6
Version: 1.2.13
7
7
Author: Alexandre Froger
8
8
Author URI: https://froger.me/
Note: See TracChangeset for help on using the changeset viewer.