Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A01:2021 - Broken Access Control
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

The application uses user-supplied values from the URL (such as query parameters or hash fragments) to set the destination for redirects (e.g., via location.href or location.replace) without properly validating them. This allows attackers to control redirect targets and potentially inject malicious URLs.

Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using Object.assign() to merge user-controlled data into objects can let attackers overwrite sensitive fields or introduce unexpected data, especially if the input comes directly from sources like JSON.parse(). This can expose or modify data in ways you did not intend.

Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Medium

Description

Redirecting users to the current request URL using ‘header(“Location: " . $_SERVER[“REQUEST_URI”])’ can allow attackers to craft URLs that cause your site to redirect users to external, potentially malicious domains. This happens if the request path begins with double slashes (e.g., ‘//attacker.com’).

Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Redirecting users to URLs that are not hardcoded or validated can allow attackers to craft links that redirect users to malicious sites. If user input is used directly in the redirect() method, the application is vulnerable to open redirects.

Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

This function can be used to redirect to user supplied URLs. If user input is not sanitised or validated, this could lead to Open Redirect vulnerabilities. Use “wp_safe_redirect()” to prevent this kind of attack.

Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

User-supplied data from the request is directly passed to Flask’s redirect() function without proper validation. This allows attackers to craft URLs that redirect users to external, potentially malicious sites.

Impact

Exploiting this vulnerability can let attackers trick users into leaving your site for phishing or malicious sites, undermining user trust and enabling theft of credentials or sensitive information. It may also facilitate other attacks such as session hijacking or social engineering.

Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

User-supplied input from the request is being used directly in a redirect without validation. This allows attackers to craft URLs that redirect users to malicious sites, leading to an open redirect vulnerability.

Impact

If exploited, attackers can trick users into visiting untrusted or malicious websites by sending them links to your application that perform unauthorized redirects. This can facilitate phishing attacks, loss of user trust, and may expose users to further security threats.

Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The application performs redirects based on user input without proper validation or sanitization. This allows attackers to craft URLs that redirect users to malicious sites or unauthorized pages.

Impact

Exploiting this vulnerability, attackers can trick users into trusting harmful websites (phishing) or bypass access controls to reach restricted parts of your app, potentially leading to data theft or account compromise.

Property
Language
Severity
CWE	CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code passes user-controlled input (like params or cookies) directly to the redirect_to method without restricting the redirect to internal paths. This allows attackers to supply a URL that could redirect users to external, potentially malicious websites.

Impact

If exploited, attackers can craft links that cause your application to redirect users to phishing sites or malicious domains, leading to loss of user trust, possible credential theft, and facilitating social engineering attacks against your users.

Property
Language
Severity
CWE	CWE-416: Use After Free
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

This vulnerability occurs when code tries to access or use a variable after it has already been freed with free(). Using freed memory can cause unpredictable program behavior and errors.

Impact

An attacker could exploit this flaw to crash the application, corrupt data, or even execute malicious code by controlling the freed memory. This can lead to severe security breaches, including data leaks and system compromise.