WordPress Plugin Vulnerabilities

WP Customer Reviews < 3.7.1 - Malicious Redirect via HTTP-EQUIV Injection

Description

The plugin does not validate a parameter allowing contributor and above users to redirect a page to a malicious URL

Proof of Concept

Affects Plugins

Plugin icon
wp-customer-reviews
Fixed in 3.7.1

References

CVE
CVE-2024-1849

Classification

Type
REDIRECT
OWASP top 10
A1: Injection
CWE
CWE-601
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
e6d9fe28-def6-4f25-9967-a77f91899bfe

Timeline

Publicly Published
2024-03-25 (about 1 year ago)
Added
2024-03-25 (about 1 year ago)
Last Updated
2024-03-25 (about 1 year ago)

Other

Published
Title
Published
2021-10-21
Title
Pie Register < 3.7.2.4 - Open Redirect
Published
2023-02-27
Title
WP Meta SEO < 4.5.3 - Subscriber+ Improper Authorization causing Arbitrary Redirect
Published
2025-04-16
Title
GoodBarber < 1.0.27 - Open Redirect
Published
2017-07-13
Title
Download Manager <= 2.9.50 - Open Redirect
Published
2024-06-05
Title
Contact Form 7 < 5.9.5 - Unauthenticated Open Redirect