id: ultimatemember-open-redirect

info:
  name: Ultimate Member < 2.1.7 - Unauthenticated Open Redirect
  author: 0x_Akoko
  severity: medium
  description: The Ultimate Member WordPress plugin was vulnerable to an Unauthenticated Open Redirect vulnerability, affecting the registration and login pages where the "redirect_to" GET parameter was used.
  reference: https://wpscan.com/vulnerability/97823f41-7614-420e-81b8-9e735e4c203f
  tags: wp-plugin,redirect,wordpress

requests:
  - method: GET
    path:
      - "{{BaseURL}}/register/?redirect_to=https://example.com/"

    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
        part: header