WPScan and the United States Government National Vulnerability Database published a notice of a vulnerability discovered in the HubSpot WordPress plugin. The vulnerability exposes users of the plugin to a Server Side Request Forgery attack.
WPScan Vulnerability Report
The security researchers at WPScan published the following report:
“HubSpot < 8.8.15 – Contributor+ Blind SSRF
Description
The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks”
Server Side Request Forgery (SSRF) Vulnerability
This vulnerability requires that a contributor level subscriber be logged in for the exposure to happen.
The non-profit Open Web Application Security Project (OWASP), a worldwide organization dedicated to software security, an SSRF vulnerability can result in the exposure of internal services that are not meant to be exposed.
According to OWASP:
“In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources.
The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.”
The services that aren’t supposed to be exposed are:
- “Cloud server meta-data
- Database HTTP interfaces
- Internal REST interfaces
- Files – The attacker may be able to read files using <file://> URIs”
HubSpot WordPress Plugin
The HubSpot WordPress plugin is used by over 200,000 publishers. It provides CRM, live chat, analytics and email marketing related capabilities.
The vulnerability discovered by WPScan notes that it was fixed in version 8.8.15.
However, the changelog that documents what was updated in the software shows that the HubSpot WordPress plugin received additional updates to fix other vulnerabilities.
Here is a list of the updates according to the official changelog, in order beginning with the oldest update:
= 8.8.15 (2022-04-07) = * Fix security issue related to proxy URL = 8.9.14 (2022-04-12) = * Fix security issue related to form inputs = 8.9.20 (2022-04-13) = * Fix security issue related to sanitizing inputs
While the security firm WPScan and the National Vulnerability Database state that vulnerability was fixed in version 8.8.15, according to the HubSpot plugin changelog, there were further security fixes all the way up to version 8.9.20.
So it my be prudent to update the HubSpot plugin to at least version 8.9.20, although the absolute latest version of the HubSpot WordPress plugin, as of this writing, is version 8.11.0.
Citations
Read WPScan Vulnerability Report
HubSpot < 8.8.15 – Contributor+ Blind SSRF