id: newsletter-open-redirect info: name: WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect author: dhiyaneshDk severity: medium description: WordPress Newsletter Manager < 1.5 is susceptible to an open redirect vulnerability. The plugin used base64 encoded user input in the appurl parameter without validation to redirect users using the header() PHP function, leading to an open redirect issue. reference: - https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1 classification: cwe-id: CWE-601 tags: wordpress,redirect,wp-plugin,newsletter,wp requests: - method: GET path: - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cHM6Ly9leGFtcGxlLmNvbQ==" matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 # Enhanced by mp on 2022/04/13