Plugin Exploit

Critical Redirection Vulnerability in WordPress Bridge Theme

Updated on: March 29, 2020

Critical Redirection Vulnerability in WordPress Bridge Theme

WordPress theme-Bridge has been found to have an open redirect vulnerability.  As its name suggests, this vulnerability lets a hacker redirect a site’s visitors to unauthentic & malicious domains. Anyone on the version <=18.2 faces risk. With this post, we intend to make you aware of the vulnerability and the quick mitigation measures you can take. Plus, we’ll dissect the details in order to make it easy to comprehend.

But before that, a word of warning- If you also have Bridge installed on your website, update it to the latest version 1.8.2 without delay.

Theme Details

The Bridge is a paid WordPress theme and has more than 1,00,000 active installations at present. The theme developers, Qode Interactive, pushed the updates shortly after the disclosure.

As of now, no news of hacks in the wild has reached our ears. Regardless, you shouldn’t delay the update.

Vulnerability Details

Open redirect vulnerability allows any hacker to redirect visitors from your domain to hacker-controlled domains. They can also plant dangerous links into your website or use your website to host spam on other websites. This could eventually lead your website into being a phishing site on the web. Amongst other consequences of redirection & spam injections are the “Deceptive Site Ahead” warning by Google, lost sales, reduced traffic, and much more.

The vulnerabilities, originally, were present in the plugins Qode Instagram Widget and Qode Twitter feed that comes pre-packaged with this theme. Bridge prompts you to download these plugins after you have successfully set the theme up.

The updates that were pushed also include patched versions of Qode Instagram Widget and Qode Twitter Feed. The mended plugin versions are 2.0.2. It is interesting to know that most users who had these accompanying plugins installed, never managed to update them. In fact, a lot of websites with the theme didn’t update the plugins in more than two years!

Technical Details

A typical redirection code looks something like this,

$redirect_url = $_GET['url'];

header("Location: " . $redirect_url);

However, the variations could be plenty. This guide on WordPress redirection hack and its removal process will give you a better insight into the variations of codes.

Codes Found in Qode Instagram Widget

The actual codes that were present in the plugin Qode Instagram Widget are:

<?php

if(!empty($_GET['redirect_uri']) && !empty($_GET['code'])) {

$glue = strstr($_GET['redirect_uri'], '?') ? '&' : '?';

header('Location: '.($_GET['redirect_uri'].$glue.'code='.$_GET['code']));

}

Here, the first line of code gets the value of $_GET['redirect_uri' & !empty($_GET['code'] if they are not empty. Then, it combines this information (the link) to a location to redirect visitors.

These codes were inserted in the  lib/instagram-redirect.php of the plugin.

Codes Found in Qode Twitter Feed

Plugin Qode Twitter Feed also had a  similar code in its lib/twitter-redirect.php:

<?php

if(!empty($_GET['redirect_url']) && !empty($_GET['oauth_token']) && !empty($_GET['oauth_verifier'])) {

$glue = strstr($_GET['redirect_url'], '?') ? '&' : '?';

header('Location: '

($_GET['redirect_url'].$glue.'oauth_token='.$_GET['oauth_token']).'&oauth_verifier='.$_GET['oauth_verifier']);

}

Again, the first line of code checks for the value of !empty($_GET['redirect_url'] & !empty($_GET['oauth_token'] & !empty($_GET['oauth_verifier'].

Then, it combines the redirecting link and location to it.

Preventive Measures

Nipping the vulnerability in the bud is the best thing you can do right now. Hence, update to latest versions to mitigate vulnerability risks and install a firewall for enhanced protection against coming attacks.

1. Update ASAP

Patched Theme Version = 18.2.1

Patched Plugin Version = 2.0.2

Anything can wait, this can’t. Update now.

2. Install a Firewall

After you have updated the theme and plugins, protect your website with a firewall. A premium firewall deploys a  robust monitoring system on your website. Firewalls are also a great way to ensure real-time protection from coming attacks.

Astra’s hacker-tested firewall is known to block 140+ threats, including OWASP top 10, XSS, CSRF, bad bots, link injection, etc. Do not wait to get hacked, install Astra and shoo away the hackers!

Take an Astra demo right now.

Was this post helpful?

Tags: , , , ,

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany