The All In One WP Security & Firewall plugin suffers from open redirect and exposure of the actual URL of the "hidden login page" feature. Edit (WPScanTeam) October 3rd, 2019 - Email sent to dev via https://wpsolutions-hq.com/contact/ October 8th - Dev ACK & investigating it October 8th - v4.4.2 released, fixing the issues (confirmed by researcher)
If a site has the plugin enabled, visiting https://site.com/?aiowpsec_do_log_out=1&after_logout=https://evilsite.com will redirect the user to evilsite.com. If the rename login page feature is enabled, then the URL https://site.com/?aiowpsec_do_log_out=1&al_additional_data=1 will redirect the user to the "hidden" login page. A live proof of concept can be found on the site of one of the developers of the plugin. http://wpsolutions-hq.com/?aiowpsec_do_log_out=1&after_logout=https://www.google.com to get redirected to www.google.com and http://wpsolutions-hq.com/?aiowpsec_do_log_out=1&al_additional_data=1 to get redirected to the admin page.
No
2019-10-08 (about 3 years ago)
2019-10-08 (about 3 years ago)
2019-10-08 (about 3 years ago)