Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Ultimate Member <= 2.3.1 - Open Redirect

Summery

Some URL components (Facebook, Twitter, LinkedIn, Instagram, YouTube, SoundCloud, VKontakte) in user profile exist open redirect vulnerability.

Vulnerability proof

'@' character can be used to bypass the host detection of some URL components.

1.Enter malicious URLs into the components.

For example:

Facebook component checks whether the URL redirects to https://facebook.com or not. Attackers construct malicious URL https://facebook.com@baidu.com and save it.

image

2.Reload the user profile and click "Facebook" component.

image

3.When people click the "Facebook" URL, website will redirects to https://baidu.com.

image