The Events Calendar <= 4.1.1 - Open RedirectSign up to our free email alerts service for instant vulnerability notifications!
The problem is located in the "tribe-bar-view" parameter that can be used to redirect a user to an arbitrary website. Timeline * 2016-04-04 : Initial contact with Modern Tribe * 2016-04-05 : Modern Tribe confirms the report * 2016-04-07 : Modern Tribe publishes a new version (18.104.22.168) that resolves the issue
|Proof of Concept||
1. Navigate to a website using the Events Calendar. 2. Send the following POST request to the URL: tribe-bar-view=http://www.evil.com&submit-bar=Find+Events 3. The web browser will be redirected to www.evil.com.
fixed in version 22.214.171.124
|OWASP Top 10||A10: Unvalidated Redirects and Forwards|
|Publicly Published||2016-04-25 (6 months ago)|
|Added||2016-04-26 (6 months ago)|
|Last Updated||2016-08-21 (2 months ago)|
Copyright & License
|Copyright||All data and resources contained within this page and this web site is Copyright © The WPScan Team.|
|License||Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.|