WordPress Plugin Vulnerabilities

Noptin < 1.6.5 - Open Redirect

Description

The plugin does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue

Proof of Concept

Affects Plugins

Plugin icon
newsletter-optin-box
Fixed in 1.6.5

References

CVE
CVE-2021-25033
URL
https://plugins.trac.wordpress.org/changeset/2639592

Classification

Type
REDIRECT
OWASP top 10
A1: Injection
CWE
CWE-601
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trang LKB
Submitter
Channchan
Verified
Yes
WPVDB ID
c2d2384c-41b9-4aaf-b918-c1cfda58af5c

Timeline

Publicly Published
2022-01-17 (about 3 years ago)
Added
2022-01-17 (about 3 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2024-09-16
Title
Share This Image < 2.04 - Open Redirect via link Parameter
Published
2019-05-18
Title
Newsletter Manager < 1.5 - Unauthenticated Open Redirect
Published
2025-02-19
Title
WPMobile.App < 11.57 - Open Redirect via 'redirect' Parameter
Published
2024-06-21
Title
Academy LMS < 2.0.11 - Open Redirect
Published
2024-02-28
Title
Travelpayouts < 1.1.17 - Open Redirect