id: wp-security-open-redirect info: name: WordPress All-in-One Security <=4.4.1 - Open Redirect author: akincibor severity: medium description: | WordPress All-in-One Security plugin through 4.4.1 contains an open redirect vulnerability which can expose the actual URL of the hidden login page feature. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. remediation: Upgrade to 4.4.2 or later. reference: - https://wpscan.com/vulnerability/9898 - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-all-in-one-wp-security-firewall-open-redirect-4-4-1 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cwe-id: CWE-601 metadata: verified: true tags: wp-plugin,redirect,wordpress,wp,wpscan requests: - method: GET path: - "{{BaseURL}}/?aiowpsec_do_log_out=1&after_logout=https://interact.sh" matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/L403F0/1 # Enhanced by md on 2022/10/19