[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$famwBK0Sw4fSWzFAmpRjKGHMHM6Gfd7kc5p72572q5Tw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"source_links":41},"CVE-2026-6203","user-registration-membership-unauthenticated-open-redirect-via-redirecttoonlogout-parameter","User Registration & Membership \u003C= 5.1.4 - Unauthenticated Open Redirect via 'redirect_to_on_logout' Parameter","The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.","user-registration",null,"\u003C=5.1.4","5.1.5","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","URL Redirection to Untrusted Site ('Open Redirect')","2026-04-13 09:51:38","2026-04-13 22:25:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F020bed37-9544-49b7-941d-3b7f509fdfdf?source=api-prod",1,[22,23,24,25,26,27,28,29],"CHANGELOG.txt","assets\u002Fcss\u002Fadmin-rtl.css","assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.scss","assets\u002Fcss\u002Fcomponents\u002F_toggle.scss","assets\u002Fcss\u002Fmodules\u002Fmembership\u002Fuser-registration-membership-admin.css","assets\u002Fcss\u002Fmodules\u002Fmembership\u002Fuser-registration-membership-admin.scss","assets\u002Fcss\u002Fmodules\u002Fmembership\u002Fuser-registration-membership-frontend.css","researched",false,3,"This research plan targets CVE-2026-6203, an Open Redirect vulnerability in the \"User Registration & Membership\" plugin (\u003C= 5.1.4).\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin handles logout redirections using the `wp_redirect()` function instead of `wp_safe_redirect()`. While the plugin sanitizes the `redirect_to_on_logout` parameter with `esc_url_raw()`, this function only removes dangerous characters and malformed URL structures; it does not validate that the destination belongs to the local domain. Consequently, an attacker can provide an external URL (e.g., `https:\u002F\u002Fmalicious-site.com`), and the plugin will redirect the user there upon logout.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The logout handler, typically triggered via a GET request to the \"My Account\" page or the site root with specific logout query parameters.\n*   **Vulnerable Parameter:** `redirect_to_on_logout` (GET).\n*   **Authentication:** Not strictly required for the redirect to trigger in some configurations, but primarily exploited by tricking a logged-in user into clicking the link to log them out and redirect them to a phishing site.\n*   **Preconditions:** The plugin must be active. A \"My Account\" page or a page containing the User Registration logout link facilitates finding the correct logout trigger.\n\n### 3. Code Flow (Inferred)\nSince the full PHP source is not provided, the flow is grounded in the vulnerability description and standard plugin architecture:\n1.  **Entry Point:** The plugin listens for a logout action, likely via the `template_redirect` or `init` hook.\n2.  **Parameter Extraction:** The code checks for the existence of `$_GET['redirect_to_on_logout']`.\n3.  **Sanitization:** The value is passed through `esc_url_raw()` (e.g., `$url = esc_url_raw( $_GET['redirect_to_on_logout'] );`).\n4.  **Vulnerable Sink:** The code calls `wp_redirect( $url )` directly.\n5.  **Execution:** The server sends a `302 Found` response with a `Location` header pointing to the external site.\n\n### 4. Nonce Acquisition Strategy\nWordPress logout logic usually requires a `_wpnonce` to prevent CSRF-based logout. However, Open Redirects are often found in custom logout implementations that may bypass or have already validated the nonce before processing the redirect.\n\n**Strategy:**\n1.  **Identify the Logout Trigger:** Use the \"My Account\" shortcode.\n2.  **Create Test Page:** \n    `wp post create --post_type=page --post_title=\"Account\" --post_status=publish --post_content='[user_registration_my_account]'`\n3.  **Navigate and Extract:**\n    *   Navigate to the newly created `\u002Faccount\u002F` page using `browser_navigate`.\n    *   If logged in, look for the \"Logout\" link.\n    *   Use `browser_eval` to extract the link: `browser_eval(\"document.querySelector('a[href*=\\\"logout\\\"]').href\")`.\n4.  **Analyze Link:** The link will likely look like `[URL]?ur_logout=true&_wpnonce=[NONCE]` or `[URL]\u002Fuser-logout\u002F?_wpnonce=[NONCE]`.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that the `Location` header in the response points to an external domain.\n\n**Step-by-Step:**\n1.  **Setup User:** Create a subscriber user and log in to obtain session cookies.\n2.  **Obtain Logout URL:** Access the \"My Account\" page to get the valid logout link (including the required nonce).\n3.  **Craft Payload:** Append `&redirect_to_on_logout=https:\u002F\u002Fexample.com` to the valid logout URL.\n4.  **Request:** Use the `http_request` tool to perform a GET request to the crafted URL, ensuring the subscriber cookies are included.\n5.  **Analysis:** Check the response status (should be 302) and the `Location` header.\n\n**HTTP Request Template:**\n```http\nGET \u002F[MY_ACCOUNT_PAGE]\u002F?ur_logout=true&_wpnonce=[NONCE]&redirect_to_on_logout=https:\u002F\u002Fexample.com HTTP\u002F1.1\nHost: [TARGET_HOST]\nCookie: [SUBSCRIBER_COOKIES]\n```\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `user-registration` version 5.1.4 is installed.\n2.  **Account Page:**\n    `wp post create --post_type=page --post_title=\"My Account\" --post_status=publish --post_content='[user_registration_my_account]' --post_name=my-account`\n3.  **User Creation:**\n    `wp user create victim victim@example.com --role=subscriber --user_pass=password123`\n4.  **Login:** Use `http_request` or the browser tool to log in as `victim`.\n\n### 7. Expected Results\n*   **Status Code:** `302 Found`.\n*   **Header:** `Location: https:\u002F\u002Fexample.com`.\n*   **Behavior:** The user session is terminated (logged out), and the browser is redirected to a non-local domain.\n\n### 8. Verification Steps\n1.  **Intercept Response:** Use the `http_request` output to verify the `Location` header contains `https:\u002F\u002Fexample.com`.\n2.  **Verify Logout:** After the request, try to access `\u002Fwp-admin\u002F` or the \"My Account\" page with the same cookies. It should prompt for login or show the logged-out view, confirming the logout action was processed.\n\n### 9. Alternative Approaches\nIf the `redirect_to_on_logout` parameter is not processed on the logout URL itself, check the plugin settings:\n*   Some versions of this plugin allow setting a global \"Logout Redirect URL\" in the settings. Check if this setting is vulnerable to being overridden by the GET parameter on *any* page where the plugin is active.\n*   Test if the redirect works even *without* a valid logout nonce. If it does, the vulnerability is a pure Open Redirect that doesn't even require a successful logout.\n*   Try common parameter variations: `redirect_to`, `redirect_url`, or `return_to` if `redirect_to_on_logout` fails. (Note: The CVE specifically names `redirect_to_on_logout`).","The User Registration & Membership plugin for WordPress is vulnerable to an unauthenticated Open Redirect due to insufficient validation of the 'redirect_to_on_logout' parameter. Attackers can craft malicious logout links that redirect users to external phishing sites, leveraging the plugin's use of wp_redirect() instead of wp_safe_redirect().","\u002F\u002F The plugin likely processes logout redirection in a hook similar to template_redirect or init\n\nif ( isset( $_GET['redirect_to_on_logout'] ) ) {\n    $redirect_url = esc_url_raw( $_GET['redirect_to_on_logout'] );\n    wp_redirect( $redirect_url );\n    exit;\n}","--- a\u002Fincludes\u002Fclass-ur-account-handler.php\n+++ b\u002Fincludes\u002Fclass-ur-account-handler.php\n@@ -102,7 +102,7 @@\n \t\t\tif ( isset( $_GET['redirect_to_on_logout'] ) ) {\n \t\t\t\t$redirect_url = esc_url_raw( wp_unslash( $_GET['redirect_to_on_logout'] ) );\n-\t\t\t\twp_redirect( $redirect_url );\n+\t\t\t\twp_safe_redirect( $redirect_url );\n \t\t\t\texit;\n \t\t\t}","1. Identify the logout URL: Navigate to the 'My Account' page (generated by the [user_registration_my_account] shortcode) and extract the 'Logout' link, which typically contains a valid WordPress security nonce (e.g., \u002F?ur_logout=true&_wpnonce=abcdef123).\n2. Craft the payload: Append the vulnerable parameter 'redirect_to_on_logout' to this URL, setting its value to an external malicious domain (e.g., &redirect_to_on_logout=https:\u002F\u002Fevil-phishing-site.com).\n3. Trigger the redirect: Trick a logged-in user into clicking the crafted link. The plugin will terminate the user's session and, because it uses the non-restricted wp_redirect() function, it will redirect the user to the specified external URL.\n4. Authentication Requirement: The attacker requires no authentication, but the victim must be logged in for the logout action (and subsequent redirect) to process normally.","gemini-3-flash-preview","2026-04-16 16:02:49","2026-04-16 16:03:15",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.1.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags\u002F5.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-registration.5.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags\u002F5.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-registration.5.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-registration\u002Ftags"]