In looking over some of the instances where plugins have been run through our Plugin Security Checker tool and have been flagged for possibly containing open redirect vulnerabilities what we have usually found that these lead to vulnerabilities of that are limited in scope, say the redirect can only occur for logged in Administrators. With the plugin JSON API, which someone checked with the tool recently, there isn’t any restriction.
Seeing as even a number of the 1,000 most popular WordPress plugin in the Plugin Directory are not doing things in a secure way we thought it would be a good idea to emphasize something from a previous post, which is that if you are using the function wp_redirect() to handle redirections that will only go to other pages on the same website you should instead use wp_safe_redirect(). That latter function makes sure that any attempt to redirect to another website else will not work, which can help you to avoid open redirect vulnerabilities in your plugins.
Recently Ricardo Sanchez disclosed a reflected cross-site scripting (XSS) vulnerability in the plugin SagePay Server Gateway for WooCommerce. When we went to test that out while adding the vulnerability to our data set, we noticed a strange result. The proof of concept URL was
We have recently been increasing the amount of new vulnerabilities we include our data through better monitoring of changes made to plugins, so that in more cases where there hasn’t been a report released on the vulnerability we can still include the vulnerability. Combined with that we have increased the number of post we have put out detailing those vulnerabilities. Seeing as we often find that vulnerabilities have been only partially fixed or not fixed at all, that also is likely to mean we will find more vulnerabilities that haven’t been fixed, despite an attempt to do so.