WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

AcyMailing < 7.5.0 - Open Redirect

Description

When subscribing using AcyMailing, the "redirect" parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.

Proof of Concept

When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully go through with the subscription. Any redirection configuration(s) will not be applied, i.e. the landing page can be changed at will. The email though must be unique for each try.

http://example.com/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email][email protected]&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://example.com&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym

Will redirect to example.com. You can change the redirect value to any webpage. 

Affects Plugins

acymailing
Fixed in version 7.5.0

References

CVE
CVE-2021-24288

Classification

Type

REDIRECT

OWASP top 10
A1: Injection
CWE
CWE-601

Miscellaneous

Original Researcher

Viktor Markopoulos

Submitter

Viktor Markopoulos

Submitter website
https://www.bitcrack.net/
Submitter twitter
bitcrack_cyber
Verified

Yes

WPVDB ID
56628862-1687-4862-9ed4-145d8dfbca97

Timeline

Publicly Published

2021-04-29 (about 1 years ago)

Added

2021-04-29 (about 1 years ago)

Last Updated

2021-05-01 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us