WordPress Insufficient redirect validation

OWASP 2013-A10 OWASP 2017-A9 WSTG-CLNT-04 WASC-38 CWE-918

The redirect validation vulnerability is usually found in By changing/modifying the unvalidated URL input to a malicious site, an attacker can launch a successful phishing scam. Using the scam, the attacker can steal user credentials. An attacker can successfully exploit this vulnerability by keeping the server name in the modified link as identical to the original site. Thus, the phishing attempts may have a more trustworthy appearance. The unvalidated redirect and forward attacks can also be used to craft a maliciously URL. This URL is used to pass the application’s access control check. This URL will then forward the attacker to use privileged functions that are normally not accessible. This vulnerability affects all the web applications that use insufficient redirect validation in the HTTP class. This vulnerability may lead to Server Side Request Forgery. The affected WordPress versions are from 2.7 to 4.7.4.

Example

Impact and Fixes

Latest Articles