nuclei-templates/vulnerabilities/wordpress/newsletter-open-redirect.yaml

27 lines
982 B
YAML

id: newsletter-open-redirect
info:
name: WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect
author: dhiyaneshDk
severity: medium
description: WordPress Newsletter Manager < 1.5 is susceptible to an open redirect vulnerability. The plugin used base64 encoded user input in the appurl parameter without validation to redirect users using the
header() PHP function, leading to an open redirect issue.
reference:
- https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
classification:
cwe-id: CWE-601
tags: wordpress,redirect,wp-plugin,newsletter,wp
requests:
- method: GET
path:
- "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cHM6Ly9leGFtcGxlLmNvbQ=="
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/13