CVE-2019-16932
published 2019-09-30CVE-2019-16932: A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data.
PriorityP183critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.14%
98.4th percentile
A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themeisle | visualizer | < 3.3.1 | 3.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/visualizer/readme.txt
commandPOST /wp-json/visualizer/v1/upload-data with body {"url":"http://{{interactsh-url}}"}
- →Detect exploitation attempts by monitoring POST requests to /wp-json/visualizer/v1/upload-data, especially those containing a 'url' parameter pointing to external or internal hosts (SSRF probe).
- →Confirm plugin presence by checking for HTTP 200 response to GET /wp-content/plugins/visualizer/readme.txt containing both 'Visualizer' and 'Tested up to:' strings before probing the SSRF endpoint.
- →A successful SSRF exploitation will result in an outbound HTTP callback; monitor for out-of-band HTTP interactions (e.g., via interactsh/Burp Collaborator) triggered by the POST to the upload-data endpoint.
- →Successful exploitation returns HTTP 200 with a Content-Type: application/json response header from the upload-data endpoint.
- →The vulnerability is unauthenticated (no auth required); any unauthenticated POST to the REST endpoint should be treated as suspicious.
- ·The vulnerability affects Visualizer plugin versions strictly before 3.3.1; version 3.3.1 and later are patched. ↗
- ·The SSRF is blind — there is no direct response reflection of the fetched content, so detection must rely on out-of-band (OOB) callback mechanisms rather than response body inspection. ↗
- ·The Content-Type for the POST exploit request must be set to application/x-www-form-urlencoded even though the body is JSON-formatted.
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f8jx-jhwh-gq9j: A blind SSRF vulnerability exists in the Visualizer plugin before 3
ghsa_unreviewed·2022-05-24
CVE-2019-16932 [CRITICAL] CWE-918 GHSA-f8jx-jhwh-gq9j: A blind SSRF vulnerability exists in the Visualizer plugin before 3
A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data.
VulnCheck
themeisle visualizer Server-Side Request Forgery (SSRF)
vulncheck·2019·CVSS 10.0
CVE-2019-16932 [CRITICAL] themeisle visualizer Server-Side Request Forgery (SSRF)
themeisle visualizer Server-Side Request Forgery (SSRF)
A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data.
Affected: themeisle visualizer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-11&host_type=src&vulnerability=cve-2019-16932; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-04&host_type=src&vulnerability=cve-2019-16932; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-05&host_type=src&vulnerability=cve-2019-16932; http
No detection rules found.
Nuclei
Visualizer <3.3.1 - Blind Server-Side Request Forgery
nuclei·CVSS 10.0
CVE-2019-16932 [CRITICAL] Visualizer <3.3.1 - Blind Server-Side Request Forgery
Visualizer <3.3.1 - Blind Server-Side Request Forgery
Visualizer prior to 3.3.1 suffers from a blind server-side request forgery vulnerability via the /wp-json/visualizer/v1/upload-data endpoint.
Template:
id: CVE-2019-16932
info:
name: Visualizer <3.3.1 - Blind Server-Side Request Forgery
author: akincibor
severity: critical
description: |
Visualizer prior to 3.3.1 suffers from a blind server-side request forgery vulnerability via the /wp-json/visualizer/v1/upload-data endpoint.
impact: |
An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or data leakage.
remediation: |
Update Visualizer plugin to version 3.3.1 or later to fix the SSRF vulnerability.
reference:
- https://wpscan.com/vulnerability/9892
-
No writeups or analysis indexed.
https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrfhttps://wordpress.org/plugins/visualizer/#developershttps://wpvulndb.com/vulnerabilities/9892https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrfhttps://wordpress.org/plugins/visualizer/#developershttps://wpvulndb.com/vulnerabilities/9892
2019-09-30
Published
Exploited in the wild