CVE-2016-10926
📋 TL;DR
This vulnerability allows attackers to perform Server-Side Request Forgery (SSRF) attacks through the nelio-ab-testing WordPress plugin. Attackers can make the vulnerable server send HTTP requests to arbitrary internal or external systems, potentially accessing sensitive data or services. WordPress sites using affected versions of this plugin are at risk.
💻 Affected Systems
- WordPress nelio-ab-testing plugin
📦 What is this software?
Nelio Ab Testing by Neliosoftware
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, perform port scanning of internal networks, or chain with other vulnerabilities to achieve remote code execution.
Likely Case
Attackers scan internal networks, access metadata services (like AWS/Azure instance metadata), or interact with internal APIs to steal credentials and sensitive information.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to denial of service or limited information disclosure from the vulnerable server itself.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and tooling exists. The ajax endpoint is typically accessible without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.9
Vendor Advisory: https://wordpress.org/plugins/nelio-ab-testing/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Nelio A/B Testing' and check version. 4. If below 4.5.9, click 'Update Now' or manually update via FTP. 5. Verify version shows 4.5.9 or higher.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the vulnerable ajax/iesupport.php file via web server configuration
# Apache: Add to .htaccess
<Files "ajax/iesupport.php">
Order Allow,Deny
Deny from all
</Files>
# Nginx: Add to server block
location ~* /ajax/iesupport\.php$ {
deny all;
return 403;
}
Deactivate plugin
allTemporarily disable the nelio-ab-testing plugin until patched
wp plugin deactivate nelio-ab-testing
🧯 If You Can't Patch
- Implement network egress filtering to restrict outbound HTTP requests from web servers
- Deploy web application firewall (WAF) rules to block SSRF patterns and suspicious outbound requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version via admin panel or examine /wp-content/plugins/nelio-ab-testing/readme.txt for version numberCheck Version:
wp plugin get nelio-ab-testing --field=versionVerify Fix Applied:
Confirm plugin version is 4.5.9 or higher and test the ajax/iesupport.php endpoint returns proper error or is inaccessible📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IPs or metadata services
- Requests to /wp-content/plugins/nelio-ab-testing/ajax/iesupport.php with URL parameters
Network Indicators:
- Web server making unexpected HTTP requests to internal network ranges, cloud metadata endpoints (169.254.169.254), or localhost
SIEM Query:
source="web_server_logs" AND (uri="/wp-content/plugins/nelio-ab-testing/ajax/iesupport.php" OR dest_ip IN ("169.254.169.254", "127.0.0.1", "10.*", "172.16.*", "192.168.*"))