WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Newsletter Manager < 1.5 - Unauthenticated Open Redirect

Description

The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header() PHP function, leading to an open redirect issue

Proof of Concept

In the file '/newsletter-manager/confirmation.php':

33: $xyz_em_url = base64_decode($_GET['appurl']);
[...]
179:  header("Location:".$xyz_em_url);


http://example.com/?wp_nlm=confirmation&appurl=aHR0cDovL3d3dy5nb29nbGUuY29t will redirect to "http://www.google.com?result=failure"

Affects Plugins

newsletter-manager
Fixed in version 1.5 - plugin closed

References

URL
https://plugins.trac.wordpress.org/changeset/2157732#file60

Classification

Type

REDIRECT

OWASP top 10
A1: Injection
CWE
CWE-601

Miscellaneous

Original Researcher

posix

Submitter

posix

Verified

Yes

WPVDB ID
847b3878-da9e-47d6-bc65-3cfd2b3dc1c1

Timeline

Publicly Published

2019-05-18 (about 3 years ago)

Added

2019-05-21 (about 3 years ago)

Last Updated

2020-12-29 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin