CSRF to RCE vulnerability found in popular URL redirect plugin
Security researchers at RIPS Tech discovered the flaw in the Redirection plugin, which has more than one million active installations and enables WordPress site owners to redirect visitors to another URL.
As noted by RIPS Tech, each WordPress installation has its own REST API that performs a CSRF validation check.
The Redirection plugin creates an interface to ensure the extension continues to work, event when the REST API is turned off.
This interface is not secured and can be used as a proxy, allowing for CSRF and the ability to execute malicious commands.
For the bug to be exploited, a site owner would simply have to visit a malicious website, without clicking on anything within the page.
After being alerted to the CSRF to RCE flaw, the plugin author released a patch on the same day.
Users should make sure they update to the latest version (3.6.5) of Redirection.
Site owners can mitigate this class of attack entirely by conducting their WordPress administration in a separate browser.
A month of WordPress bugs
Details of the vulnerability come as part of a month of disclosures from Germany-based RIPS Tech.
The ‘PHP Security Advent Calendar’ will analyze 24 security bugs detected in WordPress plugins in the lead up to Christmas.
The featured plugins have more than 6.7 million installs combined.
“Our daily gifts are [aimed at] PHP developers and security engineers who enjoy learning about new security tricks in general and specifically for WordPress,” said the company’s Johannes Dahse.