nuclei-templates/vulnerabilities/wordpress/newsletter-open-redirect.yaml

id: newsletter-open-redirect

info:
  name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect
  author: dhiyaneshDk
  severity: medium
  description: The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.
  reference: https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
  tags: wordpress,redirect,wp-plugin,newsletter,wp

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cHM6Ly9leGFtcGxlLmNvbQ=="

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
Create newsletter-open-redirect.yaml 2022-02-12 16:26:13 +00:00			`id: newsletter-open-redirect`

			`info:`
			`name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect`
			`author: dhiyaneshDk`
			`severity: medium`
			`description: The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.`
			`reference: https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1`
Update newsletter-open-redirect.yaml 2022-02-15 11:03:09 +00:00			`tags: wordpress,redirect,wp-plugin,newsletter,wp`
Create newsletter-open-redirect.yaml 2022-02-12 16:26:13 +00:00
			`requests:`
			`- method: GET`
			`path:`
template fixes 2022-02-18 06:35:33 +00:00			`- "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cHM6Ly9leGFtcGxlLmNvbQ=="`
Create newsletter-open-redirect.yaml 2022-02-12 16:26:13 +00:00
			`matchers:`
			`- type: regex`
			`part: header`
template fixes 2022-02-18 06:35:33 +00:00			`regex:`
			`- '(?m)^(?:Location\s?:\s?)(?:https?:\/\/\|\/\/\|\/\\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@])example\.com\/?(\/\|[^.].)?$' # https://regex101.com/r/ZDYhFh/1`