#################################################################### # Exploit Title : WordPress WP-JS-External-Link-Info Plugins 2.2.0 Open Redirection # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 14/02/2019 # Vendor Homepage : finewebdev.com # Software Download Link : downloads.wordpress.org/plugin/wp-external-links.1.81.zip downloads.wordpress.org/plugin/wp-external-links.2.2.0.zip # Software Information Link : wordpress.org/plugins/wp-external-links/ # Software Version : 1.21 - 1.81 - 2.2.0 and all previous versions. # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:''/wp-content/plugins/wp-js-external-link-info'' # Vulnerability Type : CWE-601: URL Redirection to Untrusted Site ('Open Redirect') # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description about Software : *************************** WP External Links (nofollow new tab seo) is open source software. Manage external and internal links on your site. #################################################################### # Impact : *********** WordPress Plugin WP Js External Link Info is prone to an open redirect vulnerability because the application fails to properly verify user-supplied input. Exploiting this issue may allow attackers to redirect users to arbitrary web sites and conduct phishing attacks; other attacks are also possible. WordPress Plugin WP Js External Link Info version 1.21 - 1.81 and 2.2.0 is vulnerable; prior versions may also be affected. #################################################################### # Open Redirection Exploit : ************************* /wp-content/plugins/wp-js-external-link-info/redirect.php?url=https://{OPEN-REDIRECTION}.gov #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################