WooFramework Branding Plugin wooframework-branding.php admin_screen_logic redirect
Description
A vulnerability classified as problematic has been found in WooFramework Branding Plugin up to 1.0.1 on WordPress. Affected is the function admin_screen_logic of the file wooframework-branding.php. The manipulation of the argument url leads to open redirect. It is possible to launch the attack remotely. Upgrading to version 1.0.2 is able to address this issue. The name of the patch is f12fccd7b5eaf66442346f748c901ef504742f78. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230652.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.0.1+ 1 more
- (no CPE)range: <=1.0.1
- (no CPE)range: <=1.0.1
Patches
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize a URL parameter before redirecting the user, allowing for open redirect vulnerabilities."
Attack vector
An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external website. This is achieved by manipulating the 'url' argument within the affected function. The attack can be launched remotely, requiring only that the victim clicks on the crafted link. This vulnerability is related to improper handling of URL parameters [CWE-601].
Affected code
The vulnerability resides in the `admin_screen_logic` function within the file `wooframework-branding.php`. The function constructs a URL and then uses `wp_safe_redirect` to redirect the user. The specific line of code that was modified is `wp_safe_redirect( $url );` which was changed to `wp_safe_redirect( esc_url( $url ) );` [patch_id=4375429].
What the fix does
The patch addresses the vulnerability by ensuring that the URL used in the `wp_safe_redirect` function is properly escaped. Specifically, the `esc_url()` function is now applied to the `$url` variable before it is passed to `wp_safe_redirect`. This sanitization prevents the redirection to malicious external sites by ensuring the URL adheres to expected formats [patch_id=4375429].
Preconditions
- inputThe attacker must be able to control or influence the 'url' argument passed to the `admin_screen_logic` function.
- networkThe attack can be launched remotely.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/wp-plugins/wooframework-branding/commit/f12fccd7b5eaf66442346f748c901ef504742f78mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.