Two open-redirect vulnerabilities in Bridge, a commercial WordPress theme purchased more than 120,000 times, would allow an attacker to mount spearphishing attacks against site administrators.
An open redirect vulnerability can be used to hide malicious links behind URLs for legitimate domains. For instance, a victim could be sent a link to https://legitimatesite.com/redirect.php?url=https://evilsite.com. If they hover over the link, they see only the legitimatesite.com domain — but if they click on it, they would be taken to evilsite.com without their permission.
“This is commonly used in phishing scams, since a link to a trustworthy site is much more likely to be clicked than a typical phishing domain,” explained researchers at Wordfence, who discovered the vulnerability, in a Tuesday posting. In the case of these specific flaws, “an administrator could receive a link to their own website and be taken to a WordPress login page, not knowing they were redirected to a phishing site built to harvest their credentials.”
The bugs exist in two of theme’s prepackaged helper plugins, called Qode Instagram Widget and Qode Twitter Feed (Qode Interactive is Bridge’s developer). Users are prompted to install these when installing the Bridge theme itself.
Both contain redirect scripts which allow open redirects. For Qode Instagram Widget, a script found at lib/instagram-redirect.php takes the GET parameters redirect_uri and code, and combines them into an eventual redirect location.
The offending code in Qode Twitter Feed is found at lib/twitter-redirect.php and is nearly identical to the Instagram Widget script, researchers said: “Not counting the interchange of ‘URI’ and ‘URL’ in the variable names, the only differences are the additional GET parameters required to trigger the redirect.”
Qode, which said that the scripts were artifacts of a demonstration mode included in the plugins, has released a patch for both plugins, available in version 2.0.2, which can be applied after users update the Bridge theme itself to version 18.2.1. Unfortunately, Wordfence researchers said that applying the patch is far from intuitive, given that the theme update isn’t available via WordPress’s built-in update notification system.
“Updating these plugins first requires users to update the Bridge theme. This is done either by manually downloading and installing an updated copy of the theme from ThemeForest, or by using the Envato Market plugin which also comes bundled with the Bridge theme to update from within the WordPress dashboard,” they explained in the posting. “Once the Envato Market plugin is installed, you can open its menu in the dashboard and set up your site’s API access to the Envato Marketplace. This will require you to log in to the account you used to purchase the Bridge theme and generate an access token using the steps they provide.”
Once Bridge has been updated, the individual plugin entries will show an “Update Required” link.
Users can also simply delete instagram-redirect.php and twitter-redirect.php from their sites, which takes care of the problem – but WordPress users should probably keep their plugins updated anyway given that these are a prime attack vector for cybercriminals.
Wordfence researchers said that Qode users aren’t very good about patching, with its analysis showing that 38 percent of active Qode Instagram Widget installations haven’t been updated in more than two years; that number jumps to 68 percent for Qode Twitter Feed users.
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.