WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

All In One WP Security & Firewall <= 4.4.1 - Open Redirect & Hidden Login Page Exposure

Description

The All In One WP Security & Firewall plugin suffers from open redirect and exposure of the actual URL of the "hidden login page" feature.

Edit (WPScanTeam)
October 3rd, 2019 - Email sent to dev via https://wpsolutions-hq.com/contact/
October 8th - Dev ACK & investigating it
October 8th - v4.4.2 released, fixing the issues (confirmed by researcher)

Proof of Concept

If a site has the plugin enabled, visiting https://site.com/?aiowpsec_do_log_out=1&after_logout=https://evilsite.com will redirect the user to evilsite.com. If the rename login page feature is enabled, then the URL https://site.com/?aiowpsec_do_log_out=1&al_additional_data=1 will redirect the user to the "hidden" login page.

A live proof of concept can be found on the site of one of the developers of the plugin. http://wpsolutions-hq.com/?aiowpsec_do_log_out=1&after_logout=https://www.google.com to get redirected to www.google.com and http://wpsolutions-hq.com/?aiowpsec_do_log_out=1&al_additional_data=1 to get redirected to the admin page.

Affects Plugins

all-in-one-wp-security-and-firewall
Fixed in version 4.4.2

Classification

Type

REDIRECT

OWASP top 10
A1: Injection
CWE
CWE-601

Miscellaneous

Verified

No

WPVDB ID
467673ad-d0ad-46a3-80c7-8ebb3813a4b3

Timeline

Publicly Published

2019-10-08 (about 3 years ago)

Added

2019-10-08 (about 3 years ago)

Last Updated

2019-10-08 (about 3 years ago)

Our Other Services

WPScan WordPress Security Plugin