Login Sign Up

CVE-2023-1895

8.5 HIGH
SSRF

📋 TL;DR

This vulnerability in the Getwid WordPress plugin allows authenticated attackers with subscriber-level permissions or higher to perform Server-Side Request Forgery (SSRF) attacks. Attackers can make arbitrary web requests from the vulnerable server, potentially accessing internal services and sensitive information. All WordPress sites using Getwid plugin versions up to 1.8.3 are affected.

💻 Affected Systems

Products:
  • Getwid – Gutenberg Blocks WordPress plugin
Versions: All versions up to and including 1.8.3
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires at least subscriber-level WordPress user account. Plugin must be active and REST API endpoint accessible.

📦 What is this software?

Getwid by Motopress

View all CVEs affecting Getwid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, perform port scanning of internal networks, or chain with other vulnerabilities to achieve remote code execution.

🟠

Likely Case

Attackers will use this to probe internal networks, access metadata services (like AWS IMDS), or interact with internal APIs to steal sensitive information.

🟢

If Mitigated

With proper network segmentation and firewall rules, impact is limited to the web server's network segment, though local service enumeration remains possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward via the REST API endpoint. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.4

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2892728/getwid/tags/1.8.4/includes/rest-api.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Getwid plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.8.4+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Remove or restrict access to the get_remote_content REST API endpoint

Add to theme functions.php or custom plugin: remove_action('rest_api_init', 'getwid_rest_api_init');

Restrict user registration

all

Prevent new subscriber account creation to reduce attack surface

In WordPress Settings → General, uncheck 'Anyone can register'

🧯 If You Can't Patch

  • Implement network-level restrictions to block outbound HTTP requests from web servers to internal networks
  • Use web application firewall (WAF) rules to block requests to the /wp-json/getwid/v1/get_remote_content endpoint

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Getwid version. If version ≤1.8.3, vulnerable.

Check Version:

wp plugin list --name=getwid --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify Getwid plugin version is 1.8.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-json/getwid/v1/get_remote_content
  • Multiple requests with different URL parameters from same user

Network Indicators:

  • Web server making unexpected outbound HTTP requests to internal IPs or unusual domains
  • Port scanning patterns originating from web server

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-json/getwid/v1/get_remote_content" OR user_agent CONTAINS "curl" OR user_agent CONTAINS "wget")

📊 Metadata

CVE ID: CVE-2023-1895
CVSS v3 Score: 8.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Published: June 9, 2023
Last Updated: November 25, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON