WordPress theme-Bridge has been found to have an open redirect vulnerability. As its name suggests, this vulnerability lets a hacker redirect a site’s visitors to unauthentic & malicious domains. Anyone on the version <=18.2 faces risk. With this post, we intend to make you aware of the vulnerability and the quick mitigation measures you can take. Plus, we’ll dissect the details in order to make it easy to comprehend.
But before that, a word of warning- If you also have Bridge installed on your website, update it to the latest version 1.8.2 without delay.
Theme Details
The Bridge is a paid WordPress theme and has more than 1,00,000 active installations at present. The theme developers, Qode Interactive, pushed the updates shortly after the disclosure.
As of now, no news of hacks in the wild has reached our ears. Regardless, you shouldn’t delay the update.
Vulnerability Details
Open redirect vulnerability allows any hacker to redirect visitors from your domain to hacker-controlled domains. They can also plant dangerous links into your website or use your website to host spam on other websites. This could eventually lead your website into being a phishing site on the web. Amongst other consequences of redirection & spam injections are the “Deceptive Site Ahead” warning by Google, lost sales, reduced traffic, and much more.
The vulnerabilities, originally, were present in the plugins Qode Instagram Widget and Qode Twitter feed that comes pre-packaged with this theme. Bridge prompts you to download these plugins after you have successfully set the theme up.
The updates that were pushed also include patched versions of Qode Instagram Widget and Qode Twitter Feed. The mended plugin versions are 2.0.2. It is interesting to know that most users who had these accompanying plugins installed, never managed to update them. In fact, a lot of websites with the theme didn’t update the plugins in more than two years!
Technical Details
A typical redirection code looks something like this,
$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);
However, the variations could be plenty. This guide on WordPress redirection hack and its removal process will give you a better insight into the variations of codes.
Codes Found in Qode Instagram Widget
The actual codes that were present in the plugin Qode Instagram Widget are:
<?php
if(!empty($_GET['redirect_uri']) && !empty($_GET['code'])) {
$glue = strstr($_GET['redirect_uri'], '?') ? '&' : '?';
header('Location: '.($_GET['redirect_uri'].$glue.'code='.$_GET['code']));
}
Here, the first line of code gets the value of $_GET['redirect_uri' & !empty($_GET['code']
if they are not empty. Then, it combines this information (the link) to a location to redirect visitors.
These codes were inserted in the lib/instagram-redirect.php
of the plugin.
Codes Found in Qode Twitter Feed
Plugin Qode Twitter Feed also had a similar code in its lib/twitter-redirect.php
:
<?php
if(!empty($_GET['redirect_url']) && !empty($_GET['oauth_token']) && !empty($_GET['oauth_verifier'])) {
$glue = strstr($_GET['redirect_url'], '?') ? '&' : '?';
header('Location: '
($_GET['redirect_url'].$glue.'oauth_token='.$_GET['oauth_token']).'&oauth_verifier='.$_GET['oauth_verifier']);
}
Again, the first line of code checks for the value of !empty($_GET['redirect_url'] & !empty($_GET['oauth_token'] & !empty($_GET['oauth_verifier']
.
Then, it combines the redirecting link and location to it.
Preventive Measures
Nipping the vulnerability in the bud is the best thing you can do right now. Hence, update to latest versions to mitigate vulnerability risks and install a firewall for enhanced protection against coming attacks.
1. Update ASAP
Patched Theme Version = 18.2.1
Patched Plugin Version = 2.0.2
Anything can wait, this can’t. Update now.
2. Install a Firewall
After you have updated the theme and plugins, protect your website with a firewall. A premium firewall deploys a robust monitoring system on your website. Firewalls are also a great way to ensure real-time protection from coming attacks.
Astra’s hacker-tested firewall is known to block 140+ threats, including OWASP top 10, XSS, CSRF, bad bots, link injection, etc. Do not wait to get hacked, install Astra and shoo away the hackers!