WordPress Insufficient redirect validation

By
Sooraj V Nair
Published on
26 Jun 2018
Vulnerability

The redirect validation vulnerability is usually found in By changing/modifying the unvalidated URL input to a malicious site, an attacker can launch a successful phishing scam. Using the scam, the attacker can steal user credentials. An attacker can successfully exploit this vulnerability by keeping the server name in the modified link as identical to the original site. Thus, the phishing attempts may have a more trustworthy appearance. The unvalidated redirect and forward attacks can also be used to craft a maliciously URL. This URL is used to pass the application’s access control check. This URL will then forward the attacker to use privileged functions that are normally not accessible. This vulnerability affects all the web applications that use insufficient redirect validation in the HTTP class. This vulnerability may lead to Server Side Request Forgery. The affected WordPress versions are from 2.7 to 4.7.4.

Example

Impact and Fixes

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment