WordPress StageShow plugin version 5.0.8 suffers from an open redirection vulnerability.
7a82bb92d7612d0dba83d0280dcb812042d7e0ef763831f99eccd4d44d0d2b5e
# Title: Open redirect vulnerability in StageShow Wordpress plugin v5.0.8
# Submitter: Nitin Venkatesh
# Product: StageShow Wordpress Plugin
# Product URL: https://wordpress.org/plugins/stageshow
# Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')
[CWE-601]
# Affected Versions: v5.0.8 and possibly below
# Tested Version: v5.0.8
# Fixed Version: v5.0.9
# Link to source code diff:
https://plugins.trac.wordpress.org/changeset/1165310
# Link to changelog: https://wordpress.org/plugins/stageshow/changelog/
# CVE Status: None/Unassigned/Fresh
## Product Information
StageShow adds the facility for an online Box-Office for Small
Theatres/Drama Groups, records sales, validates tickets and provides sales
downloads.
## Vulnerability Description
Open redirect vulnerability in stageshow_redirect.php file using url
parameter
## Vulnerable Source Code
31 $url = urldecode($_GET['url']);
..
34 Redirect($url, true);
35
36 function Redirect($url, $permanent = false)
37 {
38 header('Location: ' . $url, true, $permanent ? 301 : 302);
39 die;
40 }
## Proof of Concept
Sample exploit GET request:
GET
/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2F2buntu.com
## Solution:
Upgrade to v5.0.9
## Disclosure Timeline:
2015-05-19 - Discovered. Contacted developer on forums
2015-05-20 - Report mailed to developer
2015-05-21 - Update v5.0.9 released
2015-07-05 - Publishing disclosure to FD mailing list
## Disclaimer:
This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.