Newsletter Manager < 1.5 – Unauthenticated Open Redirect | Plugin Vulnerabilities

Description

The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue

Proof of Concept

In the file '/newsletter-manager/confirmation.php':

33: $xyz_em_url = base64_decode($_GET['appurl']);
[...]
179:  header("Location:".$xyz_em_url);


http://example.com/?wp_nlm=confirmation&appurl=aHR0cDovL3d3dy5nb29nbGUuY29t will redirect to "http://www.google.com?result=failure"

Affects Plugins

newsletter-manager

Fixed in 1.5

References

URL

https://plugins.trac.wordpress.org/changeset/2157732#file60

Classification

Type

REDIRECT

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

posix

Submitter

posix

Verified

Yes

WPVDB ID

847b3878-da9e-47d6-bc65-3cfd2b3dc1c1

Timeline

Publicly Published

2019-05-18 (about 6 years ago)

Added

2019-05-21 (about 6 years ago)

Last Updated

2020-12-29 (about 5 years ago)

Other

Published

Title

Published

2025-04-01

Title

Integration of Zoho CRM and Contact Form 7 <= 1.0.7 - Open Redirect

Published

2020-11-27

Title

Age Gate < 2.13.5 - Unauthenticated Open Redirect

Published

2024-05-23

Title

Themify Builder < 7.5.8 - Open Redirect

Published

2025-04-01

Title

WP Clone any post type <= 3.5 - Open Redirect

Published

2025-04-07

Title

Advanced Advertising System <= 1.3.1 - Open Redirect