All In One WP Security < 4.4.11 - Authenticated Reflected Cross-Site Scripting
CVE-2021-25102

4.7MEDIUM

Key Information:

Vendor: Wordpress
Status: All In One WP Security & Firewall
Vendor: CVE Published:; 2 May 2022

What is CVE-2021-25102?

The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

All In One WP Security & Firewall 4.4.11

References

https://wpscan.com/vulnerability/9b8a00a6-622b-4309-bbbf-...

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 2, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

JrXnm

JSON

Wordpress