WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect

Description

The plugin contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue

Proof of Concept

https://example.com/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://wpscan.com

Affects Plugins

webp-converter-for-media
Fixed in version 4.0.3

References

CVE
CVE-2021-25074

Classification

Type

REDIRECT

OWASP top 10
A1: Injection
CWE
CWE-601

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc
Verified

Yes

WPVDB ID
f3c0a155-9563-4533-97d4-03b9bac83164

Timeline

Publicly Published

2021-12-27 (about 9 months ago)

Added

2021-12-27 (about 9 months ago)

Last Updated

2022-04-16 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin