id: wp-brandfolder-plugin-open-redirect

info:
  name: Wordpress brandfolder plugin Open Redirect
  author: 0x_Akoko
  reference: https://www.exploit-db.com/exploits/39591
  severity: low
  tags: wp,redirect

requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/brandfolder/callback.php?wp_abspath=https://example.com/"

    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
        part: header