Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect

By kannthu

Medium
Vidoc logoVidoc Module
#redirect#wp-plugin#newsletter#wp#wpscan
Description

WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect

What is the "WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect?"

The "WordPress Newsletter Manager < 1.5 - Unauthenticated Open Redirect" module is designed to detect an open redirect vulnerability in the WordPress Newsletter Manager plugin. This vulnerability allows an attacker to redirect users to malicious websites without authentication, potentially leading to phishing attacks or the exploitation of other vulnerabilities.

This module has a severity level of medium, indicating that while it is not critical, it still poses a significant risk to the security of the affected WordPress installations.

Impact

An open redirect vulnerability in the WordPress Newsletter Manager plugin can have several negative impacts, including:

- Redirecting users to malicious websites, potentially leading to phishing attacks or the installation of malware - Exploiting other vulnerabilities in the affected WordPress installation - Damaging the reputation and trust of the website owner

How the module works?

The module works by sending a specific HTTP request to the target WordPress installation and analyzing the response. It checks if the response contains a redirect header that matches a specific regular expression pattern. If a match is found, the module reports the vulnerability.

Here is an example of the HTTP request sent by the module:

GET /?wp_nlm=confirmation&appurl=aHR0cDovL2ludGVyYWN0LnNo HTTP/1.1
Host: [target_host]

The module uses a regular expression matcher to check if the response header contains a location that matches the pattern:

(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\|\/\\)(?:[a-zA-Z0-9\\-_.@]*)interact\.sh\/?(\/|[^.].*)?$

If the response header matches the pattern, the module reports the vulnerability.

It is important to note that this module only detects the vulnerability and does not attempt to exploit it or provide any fixes or patches.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/?wp_nlm=confirmatio...
Matching conditions
regex: (?m)^(?:Location\s*?:\s*?)(?:https?:\/\/...
Passive global matcher
No matching conditions.
On match action
Report vulnerability