[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVtpPCQ8iosG3O_7AGlaxVInR7DcFPaYkIHVWcGMAYD8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-25392","update-urls-quick-and-easy-way-to-search-old-links-and-replace-them-with-new-links-in-wordpress-unauthenticated-open-red","Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress \u003C= 1.4.1 - Unauthenticated Open Redirect","The Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.4.1. This is due to insufficient validation on a redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.","update-urls",null,"\u003C=1.4.1","medium",5.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:N\u002FI:L\u002FA:N","URL Redirection to Untrusted Site ('Open Redirect')","2026-01-30 00:00:00","2026-05-04 15:30:39",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F366ff716-e325-48e2-8fbd-ad4edbdaf9eb?source=api-prod",[],"researched",false,3,"This research plan targets **CVE-2026-25392**, an unauthenticated open redirect vulnerability in the **Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links (Update URLs)** plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe \"Update URLs\" plugin (slug: `update-urls`) facilitates bulk searching and replacing of links within a WordPress database. The vulnerability exists because the plugin handles a user-supplied URL in a redirection function without performing sufficient validation or using WordPress's safe redirection functions (like `wp_safe_redirect`). This allows an attacker to craft a URL that redirects a victim from a trusted site to a malicious external domain.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Likely a hook registered to `init`, `wp_loaded`, or an `admin-post.php` action.\n*   **Parameter:** A GET or POST parameter carrying the target URL (e.g., `url`, `redirect_to`, `link`, or `path`).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. The attacker needs to identify the specific query parameter or action that triggers the redirect logic.\n\n### 3. Code Flow (Hypothetical\u002FInferred)\nAs source files are not provided, the following flow is inferred based on standard Open Redirect patterns in similar plugins:\n\n1.  **Entry Point:** The plugin registers a hook in its main file or an includes file (e.g., `includes\u002Fclass-update-urls.php`).\n    ```php\n    \u002F\u002F Inferred registration\n    add_action('init', 'update_urls_handle_redirect');\n    \u002F\u002F OR\n    add_action('admin_post_nopriv_update_urls_redirect', 'update_urls_handle_redirect');\n    ```\n2.  **Processing:** The function `update_urls_handle_redirect` checks for a specific trigger parameter.\n    ```php\n    function update_urls_handle_redirect() {\n        if (isset($_GET['update_urls_redirect'])) { \u002F\u002F Inferred parameter name\n            $target = $_GET['update_urls_redirect'];\n            \u002F\u002F VULNERABILITY: No validation or use of wp_validate_redirect\n            wp_redirect($target); \n            exit;\n        }\n    }\n    ```\n3.  **Sink:** The `wp_redirect()` function is called with raw user input, facilitating a redirect to any domain.\n\n### 4. Nonce Acquisition Strategy\nOpen Redirect vulnerabilities typically occur in features designed for navigation or link testing where nonces are often omitted to allow \"clean\" URLs. \n\n*   **Audit Step:** Search the plugin code for `wp_verify_nonce` or `check_admin_referer` near any `wp_redirect` or `header(\"Location: ...\")` calls.\n*   **Bypass:** If a nonce is required but the handler is registered via `wp_ajax_nopriv_` or `admin_post_nopriv_`, check if the nonce is exposed in the frontend via `wp_localize_script`.\n*   **JS Variable:** If localized, look for `window.update_urls_params?.nonce` (inferred).\n\n### 5. Exploitation Strategy\n\n#### Phase 1: Discovery (Finding the Sink)\nThe agent must first identify the parameter and hook.\n1.  **Search for Redirects:**\n    `grep -rnE \"wp_redirect|header\\s*\\(\\s*['\\\"]Location\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fupdate-urls\u002F`\n2.  **Identify the Input:** Look at the lines found. Determine which `$_GET` or `$_POST` variable is passed to the redirect function.\n3.  **Identify the Trigger:** Check if the function is wrapped in an `if(isset(...))` block or registered to an `admin_post` action.\n\n#### Phase 2: Execution\nOnce the parameter (e.g., `url`) and trigger (e.g., `action=test_link`) are found:\n\n**Request Example (Inferred):**\n```http\nGET \u002Fwp-admin\u002Fadmin-post.php?action=update_urls_test_link&url=https:\u002F\u002Fattacker.com HTTP\u002F1.1\nHost: target.local\n```\n*Alternatively, if it's on `init`:*\n```http\nGET \u002F?update_urls_redirect=https:\u002F\u002Fattacker.com HTTP\u002F1.1\nHost: target.local\n```\n\n### 6. Test Data Setup\n1.  Install and activate the \"Update URLs\" plugin version 1.4.1.\n2.  No specific database content is required as this vulnerability typically resides in the redirect logic itself rather than database processing.\n3.  If the redirect is tied to a \"Preview\" feature, create a dummy post with a link to ensure the plugin's scripts are loaded (if needed for discovery).\n\n### 7. Expected Results\n*   The server should respond with a `301` or `302` Redirect status code.\n*   The `Location` header in the HTTP response must point exactly to the external URL provided (e.g., `https:\u002F\u002Fattacker.com`).\n*   Example Response:\n    ```http\n    HTTP\u002F1.1 302 Found\n    Location: https:\u002F\u002Fattacker.com\n    Content-Type: text\u002Fhtml; charset=UTF-8\n    ```\n\n### 8. Verification Steps\n1.  **Browser Verification:** Use `browser_navigate` to the crafted URL and use `browser_eval(\"window.location.href\")` to confirm the browser successfully moved to `attacker.com`.\n2.  **HTTP Header Check:** Use `http_request` and inspect the `headers` object in the response to confirm the `Location` header.\n\n### 9. Alternative Approaches\n*   **Protocol Bypasses:** If `wp_redirect` is used and some validation exists, try `\u002F\u002Fattacker.com` (protocol-relative) or `\u002F%0d%0aLocation:%20https:\u002F\u002Fattacker.com` (CRLF injection if the PHP version is old\u002Fvulnerable).\n*   **Path Traversal\u002FLocal Redirect:** If external domains are blocked, test if the plugin allows redirecting to sensitive internal paths like `\u002Fwp-admin\u002Fuser-new.php`.\n*   **Action Search:** If `admin-post.php` returns a 200, search the codebase for `add_action( 'wp_ajax_nopriv_` to see if the redirect is handled via an AJAX callback instead.","The Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links plugin for WordPress is vulnerable to an unauthenticated open redirect due to insufficient validation of user-supplied URLs in its redirection logic. This allows attackers to craft links that redirect victims from a trusted site to a malicious external domain.","\u002F\u002F Inferred logic based on research plan from the plugin's redirect handler\n\nfunction update_urls_handle_redirect() {\n    if (isset($_GET['update_urls_redirect'])) {\n        $target = $_GET['update_urls_redirect'];\n        \u002F\u002F VULNERABILITY: No validation or use of wp_validate_redirect\n        wp_redirect($target); \n        exit;\n    }\n}","--- a\u002Fupdate-urls\u002Fincludes\u002Fclass-update-urls.php\n+++ b\u002Fupdate-urls\u002Fincludes\u002Fclass-update-urls.php\n@@ -10,1 +10,1 @@\n-    wp_redirect($target);\n+    wp_safe_redirect($target);","The exploit involves identifying the specific trigger parameter and endpoint (likely an 'init' hook or an 'admin-post.php' action) that handles redirects. An unauthenticated attacker crafts a URL containing the target malicious site in the redirect parameter (e.g., '\u002F?update_urls_redirect=https:\u002F\u002Fattacker.com'). When a victim clicks this link, the plugin processes the request and issues a 302 Redirect header to the external site without verifying if the domain is safe or internal, facilitating a phishing or malware delivery attack.","gemini-3-flash-preview","2026-05-04 20:29:58","2026-05-04 20:30:17",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fupdate-urls\u002Ftags"]