All In One WP Security < 4.4.11 – Authenticated Arbitrary Redirect / Reflected XSS | CVE 2021-25102 | Plugin Vulnerabilities

Description

The plugin does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk

Proof of Concept

With a logged in user:

https://example.com/xxxxxx?redirect_to=https://wpscan.com
https://example.com/xxxxxx?redirect_to="><script>alert(/XSS/)</script>

Affects Plugins

all-in-one-wp-security-and-firewall

Fixed in 4.4.11

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

9b8a00a6-622b-4309-bbbf-fe2c7fc9f8b6

Timeline

Publicly Published

2022-04-11 (about 2 years ago)

Added

2022-04-11 (about 2 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2024-01-08

Title

OneClick Chat to Order < 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2024-02-02

Title

PT Sign Ups <= 1.0.4 - Unauthenticated Stored Cross-Site Scripting

Published

2017-07-20

Title

Weblibrarian < 3.4.8.5 - XSS

Published

2014-08-01

Title

Traffic Analyzer 3.3.2 - js/ta_loaded.js.php aoid Parameter XSS

Published

2024-03-25

Title

Web Icons < 1.0.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode