CVE-2021-25102

Name of the Vulnerable Software and Affected Versions All In One WP Security & Firewall WordPress plugin versions prior to 4.4.11

Description The issue arises from the lack of validation, sanitization, and escaping of the redirect to parameter, which can lead to Arbitrary Redirect and Cross-Site Scripting issues when the Rename Login Page feature is active. Exploitation requires knowledge of the Login Page URL value, which is considered hard to guess, thereby reducing the risk.

Recommendations For versions prior to 4.4.11, update to version 4.4.11 or later to resolve the issue. As a temporary workaround, consider disabling the Rename Login Page feature until a patch is available. Restrict access to the login page to minimize the risk of exploitation. Avoid using the redirect to parameter in the affected plugin until the issue is resolved.