WordPress Brandfolder - Open Redirect (RFI & LFI)

What is the "WordPress Brandfolder - Open Redirect (RFI & LFI)" module?

The "WordPress Brandfolder - Open Redirect (RFI & LFI)" module is designed to detect vulnerabilities in the WordPress Brandfolder plugin. It specifically targets the "callback.php" endpoint and checks for remote/local file inclusion (RFI/LFI) vulnerabilities. This module was authored by 0x_Akoko and has a medium severity rating.

Impact

If exploited, this vulnerability allows remote attackers to inject an arbitrary URL into the "callback.php" endpoint via the "wp_abspath" parameter. This can result in the victim being redirected to the injected URL, potentially leading to further attacks or unauthorized access.

How does the module work?

The module sends a GET request to the following path: /wp-content/plugins/brandfolder/callback.php?wp_abspath=https://interact.sh/

The module then uses a regular expression matcher to check if the response header contains a redirect to a URL that matches the pattern ^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$.

If the response header matches the specified pattern, the module reports a vulnerability.

- https://www.exploit-db.com/exploits/