cbcvebase.
CVE-2019-16932
published 2019-09-30

CVE-2019-16932: A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data.

PriorityP183critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.14%
98.4th percentile
A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data.

Affected

1 ranges
VendorProductVersion rangeFixed in
themeislevisualizer< 3.3.13.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/visualizer/v1/upload-data
path/wp-content/plugins/visualizer/readme.txt
commandPOST /wp-json/visualizer/v1/upload-data with body {"url":"http://{{interactsh-url}}"}
  • Detect exploitation attempts by monitoring POST requests to /wp-json/visualizer/v1/upload-data, especially those containing a 'url' parameter pointing to external or internal hosts (SSRF probe).
  • Confirm plugin presence by checking for HTTP 200 response to GET /wp-content/plugins/visualizer/readme.txt containing both 'Visualizer' and 'Tested up to:' strings before probing the SSRF endpoint.
  • A successful SSRF exploitation will result in an outbound HTTP callback; monitor for out-of-band HTTP interactions (e.g., via interactsh/Burp Collaborator) triggered by the POST to the upload-data endpoint.
  • Successful exploitation returns HTTP 200 with a Content-Type: application/json response header from the upload-data endpoint.
  • The vulnerability is unauthenticated (no auth required); any unauthenticated POST to the REST endpoint should be treated as suspicious.
  • ·The vulnerability affects Visualizer plugin versions strictly before 3.3.1; version 3.3.1 and later are patched.
  • ·The SSRF is blind — there is no direct response reflection of the fetched content, so detection must rely on out-of-band (OOB) callback mechanisms rather than response body inspection.
  • ·The Content-Type for the POST exploit request must be set to application/x-www-form-urlencoded even though the body is JSON-formatted.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.