id: CVE-2024-0337

info:
  name: Travelpayouts <= 1.1.16 - Open Redirect
  author: s4e-io
  severity: medium
  description: |
    The plugin is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
  impact: |
    Unauthenticated attackers can redirect users to malicious sites for phishing attacks, credential harvesting, or malware distribution by exploiting insufficient redirect validation.
  remediation: |
    Upgrade to the latest version of the Travelpayouts plugin that addresses this open redirect vulnerability.
  reference:
    - https://wpscan.com/vulnerability/2f17a274-8676-4f4e-989f-436030527890/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-0337
  classification:
    cve-id: CVE-2024-0337
    epss-score: 0.00891
    epss-percentile: 0.546
  metadata:
    verified: true
    max-request: 1
    publicwww-query: inurl:"/wp-content/plugins/travelpayouts"
  tags: wpscan,cve,cve2024,wp,wp-plugin,wordpress,redirect,travelpayouts,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/?travelpayouts_redirect=https://oast.me"

    redirects: true
    max-redirects: 2
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'
# digest: 4a0a00473045022100e44fcf558782052f32b9241705869a6de32f2b6f80edd49166d057edf607ee8702201d2f7b5e547a9906bd21a938c6c098d86c94c5041ded709950d14e781ae625da:922c64590222798bb761d5b6d8e72950