All In One WP Security & Firewall <= 4.4.1 - Open Redirect & Hidden Login Page Exposure



Description
The All In One WP Security & Firewall plugin suffers from open redirect and exposure of the actual URL of the "hidden login page" feature.

Edit (WPScanTeam)
October 3rd, 2019 - Email sent to dev via https://wpsolutions-hq.com/contact/
October 8th - Dev ACK & investigating it
October 8th - v4.4.2 released, fixing the issues (confirmed by researcher)
Proof of Concept The PoC will be displayed on October 22, 2019, to give users the time to update.

Affects Plugin

fixed in version 4.4.2

Classification

Type REDIRECT
CWE CWE-601

Miscellaneous

Views 3292
Verified No
WPVDB ID 9898

Timeline

Publicly Published 2019-10-08 (13 days ago)
Added 2019-10-08 (13 days ago)
Last Updated 2019-10-08 (13 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin