The changelog for the latest version of the plugin All In One WP Security (All In One WP Security & Firewall) is “Fixed vulnerability related to open redirect and exposure of hidden login page for specific case. (Thanks to Erwan (wpscanteam) for letting us know)”. The entry on the WPScan Vulnerability Database for that contains almost no information and has this for the proof of concept “The PoC will be displayed on October 22, 2019, to give users the time to update.” It is unclear what the point of that would be since, that would be too late for that to be to all that useful, say if the vulnerability hasn’t been properly fixed, since hackers would already be taking advantage of the vulnerability. At the same time we have a hard time believing anybody looking to exploit this would have any trouble figuring out how you could exploit it just by looking at the relevant changes made to the plugin, considering it took us around a minute.

...

---

This post provides insights on a vulnerability in the WordPress plugin All In One WP Security not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.