All In One WP Security & Firewall <= 4.4.1 – Open Redirect & Hidden Login Page Exposure

Description

The All In One WP Security & Firewall plugin suffers from open redirect and exposure of the actual URL of the "hidden login page" feature.

Edit (WPScanTeam)
October 3rd, 2019 - Email sent to dev via https://wpsolutions-hq.com/contact/
October 8th - Dev ACK & investigating it
October 8th - v4.4.2 released, fixing the issues (confirmed by researcher)

Proof of Concept

If a site has the plugin enabled, visiting https://site.com/?aiowpsec_do_log_out=1&after_logout=https://evilsite.com will redirect the user to evilsite.com. If the rename login page feature is enabled, then the URL https://site.com/?aiowpsec_do_log_out=1&al_additional_data=1 will redirect the user to the "hidden" login page.

A live proof of concept can be found on the site of one of the developers of the plugin. http://wpsolutions-hq.com/?aiowpsec_do_log_out=1&after_logout=https://www.google.com to get redirected to www.google.com and http://wpsolutions-hq.com/?aiowpsec_do_log_out=1&al_additional_data=1 to get redirected to the admin page.