withinsecurity: WordPress Failure Notice page will generate arbitrary hyperlinks

ID H1:112955
Type hackerone
Reporter hgjjj
Modified 2016-03-25T19:14:36



When the "WordPress Failure Notice" page is returned, if the parameter _wp_http_referer was supplied with a valid URL, this URL will be used as the "Please try again." link (see attachment). A way to reliably generate this page, is to append ?wpcspReceiveCSPviol=1&_wp_http_referer=example.com to any page address.


An obvious situation where this could lead to a problem, is if a malicious party is able to force the WordPress Failure Notice page with a parameter pointing to a site he controls. The unsuspecting user would be presented with a seemingly harmless page from a trusted domain, with an innocent looking "Please try again." link, which points to an attacker controlled location.

The severity of this issue is arguably small, however. It would involve some considerable amount of work on the attackers part, to create a situation where this could become a problem. As far as I could tell, the only way to reliably force the "WordPress Failure Notice" page, is to append ?wpcspReceiveCSPviol=1 to an URL.


A fix would be to check that supplied arguments to the _wp_http_referer parameter, is restricted to the same domain as the page or to ensure that users aren't able to force Failure pages.