The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an…
WPScan·CWE-601·Published 2021-07-06
The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control and being a replica of the legitimate one, asking them to re-enter their credentials (which will then in the attacker hands)
The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control and being a replica of the legitimate one, asking them to re-enter their credentials (which will then in the attacker hands)
El plugin wpForo Forum de WordPress versiones anteriores a 1.9.7,[ no comprueba el parámetro redirect_to en el formulario de inicio de sesión del foro, conllevando a un problema de redirección abierta tras un inicio de sesión con éxito. Este problema podría permitir a un atacante inducir a un usuario a usar una URL de inicio de sesión que redirigiera a un sitio web bajo su control y que fuera una réplica del legítimo, pidiéndole que volviera a introducir sus credenciales (que luego estarían en manos del atacante)
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.8 | 8.6 | 4.9 | AV:N/AC:M/Au:N/C:P/I:P/A:N |
| 3.1 | Primary | NVD | 6.1 | 2.8 | 2.7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |