cbcvebase.
CVE-2023-0552
published 2023-02-27

CVE-2023-0552: The Registration Forms WordPress plugin before 3.8.2.3 does not properly validate the redirection URL when logging in and login out, leading to an Open…

PriorityP274medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
24.26%
97.6th percentile
The Registration Forms WordPress plugin before 3.8.2.3 does not properly validate the redirection URL when logging in and login out, leading to an Open Redirect vulnerability

Affected

1 ranges
VendorProductVersion rangeFixed in
genetechsolutionspie_register< 3.8.2.33.8.2.3

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/wp-admin?piereg_logout_url=true&redirect_to=https://oast.me
other(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$
  • Send a GET request to /wp-admin with parameters piereg_logout_url=true and redirect_to set to an external URL; a vulnerable site will issue a Location header redirecting to the attacker-controlled domain.
  • Detect exploitation by inspecting HTTP response Location headers for an unvalidated external redirect originating from the /wp-admin endpoint with the piereg_logout_url=true query parameter.
  • The vulnerability is triggered via the redirect_to parameter during login and logout flows in the Pie Register WordPress plugin; monitor for unexpected values in this parameter pointing to external domains.
  • ·The Nuclei template requires redirects to be followed (redirects: true) to capture the Location header for matching; ensure your scanner or proxy is configured to capture redirect responses rather than auto-follow them silently.
  • ·The vulnerability affects Pie Register (Registration Forms) WordPress plugin versions before 3.8.2.3 only; verify the installed plugin version before triaging alerts.
  • ·Exploitation requires an authenticated attacker with low privileges (PR:L), so unauthenticated probes against this endpoint may not reproduce the redirect in all configurations.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vulncheck5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.