WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

All In One WP Security < 4.4.11 - Authenticated Arbitrary Redirect / Reflected XSS

Description

The plugin does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk

Proof of Concept

With a logged in user:

https://example.com/xxxxxx?redirect_to=https://wpscan.com
https://example.com/xxxxxx?redirect_to="><script>alert(/XSS/)</script>

Affects Plugins

all-in-one-wp-security-and-firewall
Fixed in version 4.4.11

References

CVE
CVE-2021-25102

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified

Yes

WPVDB ID
9b8a00a6-622b-4309-bbbf-fe2c7fc9f8b6

Timeline

Publicly Published

2022-04-11 (about 8 months ago)

Added

2022-04-11 (about 8 months ago)

Last Updated

2022-09-26 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin