An open redirect is a type of vulnerability that allows a request sent to one website to be redirected to another. It is an issue that is known to be abused by spammers. We have seen plenty of instances over the years of probing trying to find websites using WordPress plugins that have contained that type of vulnerability. At the end of February, a division of the company closely associated with WordPress, Automattic, disclosed that there was an unfixed instance of this type of vulnerability in a plugin that, according to WordPress, is used on at least 7,000 websites, Travelpayouts. The vulnerability has yet to be fixed and yet the plugin is still available in the WordPress Plugin Directory:

While WordPress has failed to respond here, the developer’s response shows how poorly WordPress plugin developers often respond to vulnerabilities on their own. One response was to claim there wasn’t a security issue and that the vulnerable functionality only allowed internal redirects:

Our development team has reviewed your report and identified the feature in question as an intended function for internal redirects. So it won’t cause any security issues.

If this only allowed internal redirects, there wouldn’t, by definition, be an open redirect issue, but there is one.

They also claimed that there wasn’t a vulnerability, because the vulnerable functionality aligns with their intended use:

Our development team has reviewed the vulnerability report and concluded that the current implementation aligns with our intended use. Therefore, it does not represent a security vulnerability within the context of our plugin’s operation.

After that, they claimed this would be resolved somewhat vaguely in the future:

Thank you for providing the link. Our development team has thoroughly reviewed the information and confirmed that the fix will be included in the next release of the plugin, which is scheduled within the upcoming weeks.

If the functionality is actually only intended for internal redirects, fixing it wouldn’t take weeks. Instead, all it would take is replacing usage of the function wp_redirect() with wp_safe_redirect() in the following line of code in the plugin:

96

wp_redirect(urldecode($redirectUrl), 301);

(That line is in the file /src/components/tables/enrichment/UrlHelper.php)

Another solution for unfixed vulnerabilities similar to this would be to use a well-developed WordPress firewall plugin, like our own Plugin Vulnerabilities Firewall, which is able to stop the open redirect vulnerability in this plugin being exploited.