WeCanTrack Affiliate Sales Open Redirect Vulnerability in WordPress Plugin
Vulnerability
A vulnerability allowing open redirect has been identified in the WeCanTrack Affiliate Sales in Google Analytics and Other Tools plugin for WordPress, affecting all versions through 1.4.9. The issue arises from inadequate validation of the redirect URL provided via the 'afflink' parameter. This flaw enables unauthenticated attackers to redirect users to potentially harmful sites, provided they can successfully persuade the users to take a specific action.
Impact
Exploitation of this vulnerability could lead to unauthorized redirection of users to malicious websites.
Reproduction
The vulnerability can be reproduced by sending a request to a WordPress site with the 'afflink' parameter included. If the 'afflink' value starts with 'http' and is longer than 50 characters, the plugin will redirect the user to the specified URL. This redirection occurs without proper validation, allowing for open redirect exploitation.
Remediation
No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.