WordPress Plugin Vulnerabilities
All In One WP Security < 4.4.11 - Authenticated Arbitrary Redirect / Reflected XSS
Description
The plugin does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk
Proof of Concept
With a logged in user: https://example.com/xxxxxx?redirect_to=https://wpscan.com https://example.com/xxxxxx?redirect_to="><script>alert(/XSS/)</script>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-04-11 (about 2 years ago)
Added
2022-04-11 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)