CVE-2023-6786: 
WordPress vulnerability analysis and mitigation

The Payment Gateway for Telcell WordPress plugin through version 2.0.1 contains an unauthenticated open redirect vulnerability. The vulnerability was discovered and disclosed on December 13, 2023, affecting WordPress installations using this payment gateway plugin. The issue stems from the plugin's failure to properly validate the api_url parameter before redirecting users to its value (WPScan, CVE Mitre).

The vulnerability exists in the plugin's redirect functionality when accessing the URL path /wp-admin/admin.php?page=wc-settings&action=redirect_telcell_form&api_url=. The plugin performs a redirect to the specified api_url value without proper validation. This vulnerability has been classified under the OWASP Top 10 category A1: Injection and CWE-601, with a CVSS score of 4.7 (medium) (WPScan, Wiz).

This vulnerability could enable attackers to redirect users to malicious websites through the plugin's functionality. As an unauthenticated vulnerability, it can be exploited without requiring any login credentials, potentially leading to phishing attacks or other malicious redirects (WPScan).

The vulnerability has been fixed in version 2.0.4 of the Payment Gateway for Telcell plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan, Wiz).