Authenticated settings change vulnerability in WordPress Quick Page/Post Redirect plugin (unpatched).

This plugin is not maintained any longer and the vulnerability has never been fixed. Make sure to follow the recommendations below.

Quick Page/Post Redirect, a WordPress plugin with 200,000+ active installations, is prone to an authenticated settings change vulnerability in version 5.1.9 and below.

A lack of capability check and a weak security nonce could allow a low-privileged user such as a contributor to interact with the plugin settings and to create a redirect link that would forward all traffic to an external malicious website. Redirections are performed via the “Location” header:

$ curl https://example.org/ -I
HTTP/1.1 301 Moved Permanently
Date: Mon, 17 Feb 2020 15:44:05 GMT
RedirectType: Quick Page Post Redirect - Quick
X-Redirect-By: WordPress
Location: https://evil.com/

Additional issues were also found in the plugin however, because they won’t be fixed, we won’t provide more details.

Timeline

We discovered the vulnerability and reported it to the author, unsuccessfully, on February 17th, 2020. The plugin was removed from the wordpress.org repo on February 28th, 2020.

Recommendations

We recommend to uninstall this plugin as there isn’t any security patch available. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet