WordPress Plugin Vulnerabilities

Payment Gateway for Telcell < 2.0.4 - Unauthenticated Open Redirect

Description

The plugin does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue

Proof of Concept

Affects Plugins

Plugin icon
payment-gateway-for-telcell
Fixed in 2.0.4

References

CVE
CVE-2023-6786

Classification

Type
REDIRECT
OWASP top 10
A1: Injection
CWE
CWE-601
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Enrico Marcolini, Claudio Marchesini
Submitter
Enrico Marcolini, Claudio Marchesini
Submitter website
https://www.dottormarc.it
Submitter twitter
dottormarc/
Verified
Yes
WPVDB ID
f3e64947-3138-4ec4-86c4-27b5d6a5c9c2

Timeline

Publicly Published
2024-01-30 (about 1 year ago)
Added
2024-02-27 (about 1 year ago)
Last Updated
2024-03-04 (about 1 year ago)

Other

Published
Title
Published
2021-02-16
Title
Ninja Forms < 3.4.34 - Administrator Open Redirect
Published
2023-09-01
Title
Login and Logout Redirect <= 2.0.2 - Open Redirect
Published
2021-08-25
Title
Nested Pages < 3.1.16 - Open Redirect
Published
2024-09-30
Title
EventPrime < 4.0.4.6 - Open Redirect
Published
2016-06-21
Title
WordPress 4.5.2 - Redirect Bypass