Lucene search

[email protected]CVE-2021-25102

HistoryMay 02, 2022 - 4:15 p.m.

CVE-2021-25102

2022-05-0216:15:08

CWE-79

[email protected]

web.nvd.nist.gov

cve-2021-25102

wordpress plugin

security

firewall

arbitrary redirect

cross-site scripting

nvd

cve

2.6 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

4.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

40.3%

JSON

The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk

Affected configurations

Vulners

NVD

Node

tipsandtricks-hqall_in_one_wp_security_\&_firewallRange<4.4.11

VendorProductVersionCPE
tipsandtricks\-hqall_in_one_wp_security_\&_firewall*cpe:2.3:a:tipsandtricks\-hq:all_in_one_wp_security_\&_firewall:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tipsandtricks\-hq	all_in_one_wp_security_\&_firewall	*	cpe:2.3:a:tipsandtricks\-hq:all_in_one_wp_security_\&_firewall::::::::

CNA Affected

[
  {
    "product": "All In One WP Security & Firewall",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "4.4.11",
        "status": "affected",
        "version": "4.4.11",
        "versionType": "custom"
      }
    ]
  }
]