All In One WP Security < 4.4.11 - Authenticated Reflected Cross-Site Scripting

An attacker must first know the renamed login page URL, which is intended to be hard to guess. Once that precondition is met, the attacker can craft a malicious link containing a `redirect_to` parameter pointing to an arbitrary external site (open redirect) or containing JavaScript code (reflected XSS). When an authenticated user or administrator visits this crafted URL, the plugin uses the unsanitized `redirect_to` value in a Location header or meta URL attribute, causing the browser to navigate to the attacker-controlled destination or execute the injected script [ref_id=1].

The vulnerability exists in the All In One WP Security & Firewall plugin's login page redirect functionality, specifically in the handling of the `redirect_to` parameter when the Rename Login Page feature is active. The advisory does not specify exact file paths or function names [ref_id=1].

The advisory states the fix was released in version 4.4.11 but does not include a patch diff. The remediation involves properly validating, sanitizing, and escaping the `redirect_to` parameter before using it in redirect headers or meta URL attributes, ensuring only allowed or safe destinations are accepted [ref_id=1].