CVE-2021-24210 in PhastPress Plugininfo

Summary

by MITRE • 04/06/2021

There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it's possible to redirect the victim to any domain.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/10/2021

The vulnerability identified as CVE-2021-24210 represents a critical open redirect flaw within the PhastPress WordPress plugin, affecting versions prior to 1.111. This security weakness enables attackers to manipulate HTTP redirects through crafted requests, potentially leading to phishing attacks and social engineering campaigns that compromise user trust and security. The vulnerability stems from insufficient validation of redirect parameters within the plugin's request handling mechanism, allowing malicious actors to construct URLs that appear legitimate while directing users to malicious destinations. The issue manifests when users encounter links or buttons that should redirect to internal plugin pages but instead route to external domains controlled by attackers.

The technical implementation of this vulnerability aligns with CWE-601, which specifically addresses open redirect vulnerabilities where applications redirect users to unvalidated external URLs. This flaw operates by accepting user-supplied input that determines redirect destinations without proper sanitization or validation against a trusted domain whitelist. The PhastPress plugin fails to adequately verify that redirect targets originate from trusted sources, creating a pathway for attackers to exploit the redirect functionality for malicious purposes. The vulnerability's exploitation requires minimal technical expertise and can be executed through simple URL manipulation techniques that leverage the plugin's inherent redirect mechanisms.

The operational impact of this vulnerability extends beyond simple phishing attempts, as it can facilitate more sophisticated attack vectors including credential harvesting, malware distribution, and data exfiltration. When users click on seemingly legitimate links within a compromised WordPress site, they may unknowingly be redirected to attacker-controlled domains that mimic trusted websites. This creates a significant risk for organizations relying on WordPress platforms, particularly those with high user engagement or sensitive data handling requirements. The vulnerability's persistence in the wild for over a year, as indicated by the referenced support comment, suggests that many installations remained unpatched and vulnerable to exploitation.

Security practitioners should prioritize immediate patching of affected PhastPress installations to address this vulnerability, as the open redirect flaw can be leveraged in various attack scenarios without requiring additional exploitation primitives. The referenced WordPress support comment indicating that php involved in requests only goes to whitelisted pages yet still allows domain redirection demonstrates that the vulnerability exists at the redirect parameter validation level rather than the underlying fetch mechanism. Organizations should implement network-level monitoring to detect suspicious redirect patterns and consider implementing additional security controls such as Content Security Policy headers to mitigate the impact of potential exploitation attempts. The vulnerability also highlights the importance of regular security audits and prompt patch management for third-party WordPress plugins, as many organizations may not immediately apply security updates to their plugin ecosystem.

Reservation

01/14/2021

Disclosure

04/06/2021

Moderation

accepted

CPE

ready

EPSS

0.03066

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!