Open Redirect Vulnerability Patched In Bridge Theme

Description: Open Redirect
CVSS v3.0 Score: 7.1 (High)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Affected Software: Two built-in plugins packaged with the Bridge theme – Qode Instagram Widget and Qode Twitter Feed
Plugin Slugs: qode-instagram-widget, qode-twitter-feed
Affected Versions: Bridge Theme: 18.2 / Plugins: 2.0 (Twitter plugin) 2.0.1 (Instagram plugin)
Patched Version: Bridge Theme: 18.2.1 / Plugins: 2.0.1 (Twitter plugin) 2.0.2 (Instagram plugin)

Our Threat Intelligence team recently identified an open redirect vulnerability in Bridge, a commercial WordPress theme purchased more than 120,000 times. We disclosed this issue to Qode Interactive, the theme’s developers, who have since released a patch for the affected components.

The initial discovery was related to one of the theme’s prepackaged helper plugins, Qode Instagram Widget. After discovery, Qode’s team patched a similar open redirect flaw in another prepackaged plugin, Qode Twitter Feed. Both of these plugins should be updated to their latest version, which is 2.0.1 for the Twitter plugin and 2.0.2 for the Instagram plugin. These updates will be accessible from within the Bridge theme’s recommended plugin manager once the theme has been updated to 18.2.1.

We have released new firewall rules which protects Wordfence users’ sites from abuse of these open redirects. Wordfence Premium users already have access to these rules, and users still on the free version will have access in thirty days.

In today’s post, we’ll take a look at the vulnerabilities that were patched, and we’ll briefly discuss the risk that an open redirect vulnerability presents. Update workflows can vary for commercial themes and plugins such as these, so we’ll additionally be providing a short guide to help Bridge users ensure they’re up to date.

What Is An Open Redirect?

An open redirect vulnerability exists when a web application can be made to redirect a visitor to an arbitrary location based on user input. This can be used to create innocent-looking web links to legitimate domains, which then redirect the victim to a dangerous location. This is commonly used in phishing scams, since a link to a trustworthy site is much more likely to be clicked than a typical phishing domain.

A classic example of this type of flaw is as follows:

$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);

In the example above, a victim could be sent a link to https://legitimatesite.com/redirect.php?url=https://evilsite.com, hover over the link to confirm the legitimatesite.com domain, click on it, and be taken to evilsite.com without their permission.

In the WordPress ecosystem, this could be used in spearphishing attacks against site administrators. An administrator could receive a link to their own website and be taken to a WordPress login page, not knowing they were redirected to a phishing site built to harvest their credentials.

Vulnerable Redirect Scripts In Prepackaged Plugins

Upon install, the Bridge theme prompts users to install a number of prepackaged plugins. Two of these plugins, Qode Instagram Widget and Qode Twitter Feed, contained redirect scripts which allowed open redirects.

For Qode Instagram Widget, the following script could be found at lib/instagram-redirect.php:

<?php

if(!empty($_GET['redirect_uri']) && !empty($_GET['code'])) {
    $glue = strstr($_GET['redirect_uri'], '?') ? '&' : '?';
    header('Location: '.($_GET['redirect_uri'].$glue.'code='.$_GET['code']));
}

This code takes the GET parameters redirect_uri and code, and combine them into an eventual redirect location.

The code in Qode Twitter Feed is almost identical. The following can be found at lib/twitter-redirect.php:

<?php

if(!empty($_GET['redirect_url']) && !empty($_GET['oauth_token']) && !empty($_GET['oauth_verifier'])) {
    $glue = strstr($_GET['redirect_url'], '?') ? '&' : '?';
    header('Location: '.($_GET['redirect_url'].$glue.'oauth_token='.$_GET['oauth_token']).'&oauth_verifier='.$_GET['oauth_verifier']);
}

Not counting the interchange of “URI” and “URL” in the variable names, the only differences are the additional GET parameters required to trigger the redirect.

Upon disclosure, Qode Interactive responded that these scripts were only present for demo purposes, and they have been removed entirely from patched versions of the plugins.

How Do I Patch?

Commercial WordPress themes and plugins often have update workflows that differ from those native to the WordPress.org repository. In the case of the Bridge theme and its associated plugins, it seems many users aren’t getting the updates they need. According to our data, 38% of active Qode Instagram Widget installations haven’t been updated in more than two years, and that number jumps to 68% for Qode Twitter Feed users. 

Updating these plugins first requires users to update the Bridge theme. This is done either by manually downloading and installing an updated copy of the theme from ThemeForest, or by using the Envato Market plugin which also comes bundled with the Bridge theme to update from within the WordPress dashboard.

Screenshot of the Envato Market plugin’s API setup process.

Once the Envato Market plugin is installed, you can open its menu in the dashboard and set up your site’s API access to the Envato Marketplace. This will require you to log in to the account you used to purchase the Bridge theme and generate an access token using the steps they provide.

Once the API connection has been established, the theme can be updated. Unfortunately, the need to update isn’t made particularly obvious from most of the dashboard, as it doesn’t interact with WordPress’s built-in update notification system. Instead, you’ll see the update available within the Theme selector (Appearance -> Themes), or within the Themes tab of the Envato Market options page.

Screenshot of the WordPress theme selector showing an update available for Bridge.

Once Bridge has been updated, users may see a nag notification telling them their built-in plugins need to be updated, but if they ignore or dismiss it there’s no persistent indication that an update is available. If users open their plugins page, they won’t see a typical update notice. The individual plugin entries will show an “Update Required” link, however.

Screenshot of a WordPress plugin management page, showing several Qode plugins with “Update Required” links.

Short-Term Fix: Delete The Scripts

In the event that updating your site’s Bridge theme isn’t immediately possible, such as cases where a one-time developer installed it before vanishing into the wind, it’s easy to resolve the security issues present in these plugins without updating anything else.

Since the vulnerable files aren’t actually used or referenced in the plugins themselves, users can simply delete instagram-redirect.php and twitter-redirect.php from their sites without causing any problems. While it’s still always recommended that users update their themes and plugins, removing these files will still mitigate security concerns in the meantime.

Disclosure Timeline

  • 09/19/19 – Vendor notified of issue
  • 09/23/19 – Vendor acknowledged issue and proposed patch
  • 10/16/19 – Patched version released

 

Did you enjoy this post? Share it!

Comments

2 Comments
  • Regarding the patched version release:

    I have a client contacting me about this, we installed to the newest version Bridge Theme today: 18.2.1 / Plugins: 2.0.2

    This patch fixed everything but the Qode Twitter Feed which is till 2.0.1 and still shows vulnerabilities when scanned.

    • Hi Lori, If you're still seeing a vulnerable version after patching, I would recommend reaching out to the theme's developers for support.