Login Sign Up

CVE-2019-16932

10.0 CRITICAL
SSRF

📋 TL;DR

This is a blind Server-Side Request Forgery (SSRF) vulnerability in the Visualizer plugin for WordPress. It allows attackers to make arbitrary HTTP requests from the vulnerable server, potentially accessing internal systems or services. WordPress sites using Visualizer plugin versions before 3.3.1 are affected.

💻 Affected Systems

Products:
  • WordPress Visualizer plugin
Versions: All versions before 3.3.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Visualizer plugin to be installed and active on WordPress.

📦 What is this software?

Visualizer by Themeisle

View all CVEs affecting Visualizer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, perform port scanning, interact with cloud metadata services to obtain credentials, or chain with other vulnerabilities to achieve remote code execution.

🟠

Likely Case

Information disclosure from internal services, reconnaissance of internal network, or interaction with cloud metadata APIs.

🟢

If Mitigated

Limited impact if network segmentation restricts outbound connections and internal services require authentication.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted requests to wp-json/visualizer/v1/upload-data endpoint. Public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.1

Vendor Advisory: https://wordpress.org/plugins/visualizer/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Visualizer plugin. 4. Click 'Update Now' if available, or manually update to version 3.3.1 or later.

🔧 Temporary Workarounds

Disable Visualizer plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate visualizer

Block vulnerable endpoint

linux

Use web application firewall or .htaccess to block access to the vulnerable endpoint

RewriteEngine On
RewriteRule ^wp-json/visualizer/v1/upload-data - [F,L]

🧯 If You Can't Patch

  • Implement network segmentation to restrict outbound connections from web servers
  • Deploy web application firewall with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Visualizer version. If version is below 3.3.1, system is vulnerable.

Check Version:

wp plugin get visualizer --field=version

Verify Fix Applied:

Confirm Visualizer plugin version is 3.3.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to wp-json/visualizer/v1/upload-data with unusual parameters
  • Outbound connections from web server to internal IPs or unusual domains

Network Indicators:

  • HTTP POST requests to /wp-json/visualizer/v1/upload-data with URL parameters
  • Web server making requests to internal services or cloud metadata endpoints

SIEM Query:

source="web_server_logs" AND uri="/wp-json/visualizer/v1/upload-data" AND (method="POST" OR method="PUT")

📊 Metadata

CVE ID: CVE-2019-16932
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-918
Published: September 30, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-16932, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)