– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2479:
This vulnerability is an authenticated Server-Side Request Forgery (SSRF) in the Responsive Lightbox & Gallery WordPress plugin versions up to 2.7.1. The flaw resides in the remote library image upload functionality, allowing attackers with Author-level permissions or higher to force the application to make HTTP requests to arbitrary internal or external destinations. The CVSS score of 5 reflects the requirement for authenticated access and the limited impact scope.

Atomic Edge research identifies the root cause in the `ajax_upload_image()` function within the `class-remote-library.php` file. The vulnerable code uses `strpos()` for substring-based hostname validation instead of strict host comparison. Specifically, lines 429-447 in the patched version show the original logic: `if ( strpos( $image_host, $host ) !== false )`. This substring matching allows attackers to bypass domain restrictions by using hostnames like `evil-wikimedia.org` or `upload.wikimedia.org.evil.com`, which contain legitimate domain substrings but point to malicious servers. The validation occurs during remote image upload processing triggered via the `rl-upload-image` AJAX action.

Exploitation requires an authenticated attacker with at least Author-level capabilities (`upload_files` permission). The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `rl-upload-image`. The payload includes a `rlnonce` (valid nonce for the `rl-remote-library-upload-image` action), `post_id`, and an `image` array containing a `media_provider` and a malicious `url` parameter. The `url` points to an internal service (like `http://169.254.169.254/latest/meta-data/`) or an external attacker-controlled server, with the hostname crafted to bypass substring validation (e.g., `http://metadata.google.internal.wikimedia.org/`). The plugin then fetches this URL, enabling SSRF.

The patch replaces substring matching with strict host validation. The updated code in `class-remote-library.php` lines 429-447 normalizes hostnames to lowercase and performs exact domain matching or valid subdomain validation using `substr( $image_host, -( strlen( $host ) + 1 ) ) === ‘.’ . $host`. This ensures `evil-wikimedia.org` no longer matches the allowed host `wikimedia.org`. The patch also adds rate limiting via `Responsive_Lightbox()->check_rate_limit()` and replaces `wp_remote_head()` with `wp_safe_remote_head()` for additional SSRF protection. These changes prevent hostname bypass techniques while maintaining functionality for legitimate subdomains like `upload.wikimedia.org`.

Successful exploitation allows attackers to interact with internal services accessible from the web server, including cloud metadata endpoints, database administration interfaces, and internal APIs. This can lead to sensitive information disclosure, internal network reconnaissance, and potential further attacks against backend systems. While the vulnerability requires Author-level access, compromised accounts or social engineering could provide this foothold. The SSRF capability enables attackers to bypass network security controls and interact with systems that would otherwise be inaccessible from external networks.