"Google WordPress Plug-in Bug Allows AWS Metadata Theft"

A Server-Side Request Forgery (SSRF) vulnerability in the Google Web Stories plugin for WordPress could be exploited to obtain Amazon Web Services (AWS) metadata from sites hosted on the AWS server. This metadata may contain sensitive data such as AccessKeyId, SecretAccessKey, and Token. An SSRF vulnerability allows attackers to access internal resources by elevating privileges on a compromised machine via a changed URL. The Web Stories plugin is an open visual storytelling format on the Internet, consisting of animations and other interactive images that can be embedded and shared between websites and applications. The plugin has more than 100,000 active installations. A Wordfence research team revealed that the plugin was susceptible to the SSRF flaw, tracked as CVE-2022-3708 in versions prior to 1.24.0 due to insufficient validation of URLs supplied via the "url" parameter of the "/v1/hotlink/proxy" REST API Endpoint. Using this vulnerability, an authenticated user could send web requests to arbitrary locations from the web application, according to Topher Tebow of Wordfence's Threat Intelligence team. During testing, the team was able to identify certain metadata necessary to enable functionality such as EC2 Instance Connect. Stolen metadata could then be used to enter into the virtual server and execute commands via the terminal. This is only the top of the iceberg, according to the researchers, as AWS offers numerous metadata types, each of which has a unique use and varying degrees of severity if misused. The team discovered the problem in October, and by the end of November, two sections of code had been modified to fully repair the plugin vulnerability. This article continues to discuss findings regarding the Google WordPress plugin bug.

Dark Reading reports "Google WordPress Plug-in Bug Allows AWS Metadata Theft"