Unauthenticated Open Redirect Vulnerability in Travelpayouts WordPress Plugin
CVE-2024-0337

Currently unrated

Key Information:

Vendor: Wordpress
Status: Travelpayouts: All Travel Brands In One Place
Vendor: CVE Published:; 20 March 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-0337?

The Travelpayouts: All Travel Brands in One Place WordPress plugin through 1.1.15 is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Affected Version(s)

Travelpayouts: All Travel Brands in One Place 0 <= 1.1.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-0337 - Proof of Concept

References

https://wpscan.com/vulnerability/2f17a274-8676-4f4e-989f-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 20, 2024
👾
Exploit known to exist
Mar 20, 2024
Vulnerability published
Mar 20, 2024
Vulnerability Reserved
Jan 9, 2024

Credit

Krzysztof Zając (CERT PL)

WPScan

Wordpress