The Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.
Proof of Concept
The vulnerable code leading to the open redirect is in the function "redirect_to_tp_custom_password_reset" in "theplus_elementor_addon/includes/plus_addon.php"
The url : https://example.com/wp-login.php?action=theplusrp&key=&redirecturl=http://attacker.com&forgoturl=http://attacker.com&login=john
with John as a registered user on the WordPress blog, will redirect the user to http://attacker.com