WordPress Eatery Open Redirect Scanner

The WordPress Eatery theme is a popular theme used by restaurants and cafes wanting to establish an online presence with the WordPress platform. It allows businesses to showcase their menu, daily specials, and other services, enabling them to reach a larger audience. The theme is typically managed by web developers or digital marketing teams on behalf of the restaurant owners. With its user-friendly interface and customizable options, Eatery is commonly used for creating visually appealing and interactive restaurant websites. However, like any software, it is susceptible to vulnerabilities that can affect its integrity and the security of users' data.

The open redirect vulnerability found in version 2.2 of the WordPress Eatery theme poses a significant risk to users. By accepting a user-controlled input for specifying a link to an external site, it allows attackers to redirect unsuspecting users to malicious websites. This kind of vulnerability can result in phishing attacks where sensitive user information is harvested, or credentials are stolen. Redirects can also lead users to sites that silently install malware or execute unauthorized scripts, making this a critical security concern for any application.

Technically, the vulnerability pertains to the vulnerable endpoint found in the file "nav.php" within the Eatery theme. The parameter "-Menu-" is insufficiently validated and thus can be manipulated to redirect to an external domain, demonstrated through the payload path structure "{{BaseURL}}/wp-content/themes/eatery/nav.php?-Menu-=https://interact.sh/". The lack of proper sanitization mechanisms enables such exploitation and poses a risk for the users and administrators running the affected version. Adequate user input filtering and redirect validation could mitigate this vulnerability, but in its current state, the potential for exploitation remains.

If exploited, malicious actors can redirect users to phishing pages designed to mimic legitimate sites, harvesting their credentials or other sensitive information. Users may also be routed to malware-infected sites, leading to a compromise of their systems. In some cases, such vulnerabilities can enable additional unauthorized operations or data manipulation, potentially impacting business operations and reputations. The server itself may remain uncompromised, but the user trust and the integrity of the site's data are at risk.

REFERENCES

• https://cxsecurity.com/issue/WLB-2020030183