Demystifying SSRF

Server-Side Request Forgery (SSRF) is a flaw where an attacker induces a server-side application to make HTTP requests to an arbitrary domain. In an SSRF attack, the target WordPress server acts as a proxy, executing requests on behalf of the attacker. This allows threats to bypass network perimeters, granting attackers access to internal systems, cloud metadata endpoints (like AWS 169.254.169.254), or local loopback services that are not exposed to the public internet.

SSRF Targets in WordPress Core and Plugins

WordPress includes a robust HTTP API (wp_remote_get(), wp_safe_remote_get()) that allows plugins to fetch data from external servers, such as rendering link previews or downloading remote images. If a plugin takes a user-provided URL and fetches it without restrictions, it is vulnerable to SSRF. An attacker could input http://localhost:8080 or an internal IP address, mapping out the internal network structure or exploiting unauthenticated internal services.

Protecting Your Infrastructure from SSRF

Defending against SSRF involves restricting where your server can send outgoing network requests:

  • Use wp_safe_remote_get(): WordPress offers built-in safe wrappers for remote requests. Functions like wp_safe_remote_get() automatically validate the target URL, preventing requests to local or private IP addresses.

  • Implement URL Whitelisting: If your plugin only needs to communicate with a specific API service, whitelist that domain explicitly and reject all other input domains.

  • Network Segmentation: Configure your server firewall (such as iptables) to block outgoing requests from the web server user to internal IP ranges or cloud provider metadata services unless explicitly required.