Title: Open Redirect Security Issues
Last modified: August 24, 2016

---

# Open Redirect Security Issues

 *  [Juergen Schulze](https://wordpress.org/support/users/1manfactory/)
 * (@1manfactory)
 * [11 years ago](https://wordpress.org/support/topic/open-redirect-security-issues/)
 * Did you fixed this?
 * [https://wpvulndb.com/vulnerabilities/7868](https://wpvulndb.com/vulnerabilities/7868)
   
   [https://research.g0blin.co.uk/g0blin-00039/](https://research.g0blin.co.uk/g0blin-00039/)
 * I can’t find any information on this in the changelog
 * [https://wordpress.org/plugins/newsletter/](https://wordpress.org/plugins/newsletter/)

Viewing 5 replies - 1 through 5 (of 5 total)

 *  [dgmstuart](https://wordpress.org/support/users/dgmstuart/)
 * (@dgmstuart)
 * [11 years ago](https://wordpress.org/support/topic/open-redirect-security-issues/#post-6167412)
 * +1
 *  [dgmstuart](https://wordpress.org/support/users/dgmstuart/)
 * (@dgmstuart)
 * [11 years ago](https://wordpress.org/support/topic/open-redirect-security-issues/#post-6167413)
 * Here’s an older advisory with the same issue from an apparently different source:
   [http://seclists.org/fulldisclosure/2015/Mar/23](http://seclists.org/fulldisclosure/2015/Mar/23)
 *  [Chris](https://wordpress.org/support/users/comradeseidl/)
 * (@comradeseidl)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/open-redirect-security-issues/#post-6167487)
 * Does this fix it (edit to newsletter/statistics/link.php):
 *     ```
       $site_url = parse_url( get_site_url() );
       $site_domain = $site_url['host'];
   
       $input_url = parse_url( $url );
       $input_domain = $input_url['host'];
   
       if ($site_domain == $input_domain) $header('Location: ' . $url);
       ```
   
 *  [ethicalhack3r](https://wordpress.org/support/users/ethicalhack3r/)
 * (@ethicalhack3r)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/open-redirect-security-issues/#post-6167499)
 * Chris – I would probably use the === operator for comparing the two domain strings,
   apart from that it looks like it should work (not tested). Let me know when it
   has been fixed and we can mark as so on wpvulndb.com.
 *  Plugin Author [Stefano Lissa](https://wordpress.org/support/users/satollo/)
 * (@satollo)
 * [10 years, 11 months ago](https://wordpress.org/support/topic/open-redirect-security-issues/#post-6167501)
 * Domain checking is not good, many marketing emails are sent linking external 
   services (for example affiliates).
 * Version 3.8.3 has a control key on the rewritten urls. For old link a intermediate
   page is shown where the destination url (not verified with a valid key) is explicitely
   shown.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Open Redirect Security Issues’ is closed to new replies.

 * ![](https://ps.w.org/newsletter/assets/icon-256x256.png?rev=1052028)
 * [Newsletter - Send awesome emails from WordPress](https://wordpress.org/plugins/newsletter/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/newsletter/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/newsletter/)
 * [Active Topics](https://wordpress.org/support/plugin/newsletter/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/newsletter/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/newsletter/reviews/)

 * 5 replies
 * 5 participants
 * Last reply from: [Stefano Lissa](https://wordpress.org/support/users/satollo/)
 * Last activity: [10 years, 11 months ago](https://wordpress.org/support/topic/open-redirect-security-issues/#post-6167501)
 * Status: not resolved