All In One WP Security & Firewall <= 4.4.1 - Open Redirect & Hidden Login Page Exposure



Description
The All In One WP Security & Firewall plugin suffers from open redirect and exposure of the actual URL of the "hidden login page" feature.

Edit (WPScanTeam)
October 3rd, 2019 - Email sent to dev via https://wpsolutions-hq.com/contact/
October 8th - Dev ACK & investigating it
October 8th - v4.4.2 released, fixing the issues (confirmed by researcher)
Proof of Concept
If a site has the plugin enabled, visiting https://site.com/?aiowpsec_do_log_out=1&after_logout=https://evilsite.com will redirect the user to evilsite.com. If the rename login page feature is enabled, then the URL https://site.com/?aiowpsec_do_log_out=1&al_additional_data=1 will redirect the user to the "hidden" login page.

A live proof of concept can be found on the site of one of the developers of the plugin. http://wpsolutions-hq.com/?aiowpsec_do_log_out=1&after_logout=https://www.google.com to get redirected to www.google.com and http://wpsolutions-hq.com/?aiowpsec_do_log_out=1&al_additional_data=1 to get redirected to the admin page.

Affects Plugin

fixed in version 4.4.2

Classification

Type REDIRECT
CWE CWE-601

Miscellaneous

Views 4607
Verified No
WPVDB ID 9898

Timeline

Publicly Published 2019-10-08 (about 1 month ago)
Added 2019-10-08 (about 1 month ago)
Last Updated 2019-10-08 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin