1. Home
  2. CVE Database
  3. CVE-2021-25102
MEDIUM · 4.7

CVE-2021-25102

The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or...

Vulnerability Description

The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk

CVSS Score

4.7

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
Tipsandtricks-HqAll In One Wp Security \& Firewall< 4.4.11

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2021-25102?

CVE-2021-25102 is a vulnerability with a CVSS score of 4.7 (MEDIUM). The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or...

How severe is CVE-2021-25102?

CVE-2021-25102 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-25102?

Check the references section above for vendor advisories and patch information. Affected products include: Tipsandtricks-Hq All In One Wp Security \& Firewall.