Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

WordPress Brandfolder - Open Redirect (RFI & LFI)

By kannthu

Medium
Vidoc logoVidoc Module
#wp#brandfolder#edb#wpscan#wp-plugin
Description

What is the "WordPress Brandfolder - Open Redirect (RFI & LFI)" module?

The "WordPress Brandfolder - Open Redirect (RFI & LFI)" module is designed to detect vulnerabilities in the WordPress Brandfolder plugin. It specifically targets the "callback.php" endpoint and checks for remote/local file inclusion (RFI/LFI) vulnerabilities. This module was authored by 0x_Akoko and has a medium severity rating.

Impact

If exploited, this vulnerability allows remote attackers to inject an arbitrary URL into the "callback.php" endpoint via the "wp_abspath" parameter. This can result in the victim being redirected to the injected URL, potentially leading to further attacks or unauthorized access.

How does the module work?

The module sends a GET request to the following path: /wp-content/plugins/brandfolder/callback.php?wp_abspath=https://interact.sh/

The module then uses a regular expression matcher to check if the response header contains a redirect to a URL that matches the pattern ^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$.

If the response header matches the specified pattern, the module reports a vulnerability.

Reference

- https://www.exploit-db.com/exploits/

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/wp-content/plugins/...
Matching conditions
regex: (?m)^(?:Location\s*?:\s*?)(?:https?://|/...
Passive global matcher
No matching conditions.
On match action
Report vulnerability