CVE-2024-13888
Published: 20 February 2025
Description
The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11.56. This is due to insufficient validation on the redirect URL supplied via the 'redirect' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Security Summary
CVE-2024-13888 is an open redirect vulnerability (CWE-601) affecting the WPMobile.App plugin for WordPress in all versions up to and including 11.56. The flaw arises from insufficient validation of the redirect URL supplied via the 'redirect' parameter, earning a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By tricking legitimate users into performing an action, such as clicking a crafted link, attackers can redirect them to potentially malicious sites, enabling phishing or other follow-on attacks that compromise low levels of confidentiality and integrity.
Advisories recommend updating the WPMobile.App plugin to a version beyond 11.56 for mitigation. Key references include the plugin's Trac changeset 3243366, which addresses the issue; the Wordfence threat intelligence details at https://www.wordfence.com/threat-intel/vulnerabilities/id/a139f0fc-f3e0-4759-aa8d-ba138e5ccc87?source=cve; and the plugin developer page at https://wordpress.org/plugins/wpappninja/#developers.
Details
- CWE(s)