25 lines
974 B
YAML
25 lines
974 B
YAML
id: newsletter-open-redirect
|
|
|
|
info:
|
|
name: WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect
|
|
author: dhiyaneshDk
|
|
severity: medium
|
|
description: "WordPress Newsletter Manager < 1.5 is susceptible to an open redirect vulnerability. The plugin used base64 encoded user input in the appurl parameter without validation to redirect users using the header() PHP function, leading to an open redirect issue."
|
|
reference: https://wpscan.com/vulnerability/847b3878-da9e-47d6-bc65-3cfd2b3dc1c1
|
|
classification:
|
|
cwe-id: CWE-601
|
|
tags: wordpress,redirect,wp-plugin,newsletter,wp
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/?wp_nlm=confirmation&appurl=aHR0cHM6Ly9leGFtcGxlLmNvbQ=="
|
|
|
|
matchers:
|
|
- type: regex
|
|
part: header
|
|
regex:
|
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
|
|
# Enhanced by mp on 2022/04/13
|