Medium severity4.7NVD Advisory· Published May 2, 2022· Updated Jun 17, 2026
CVE-2021-25102
CVE-2021-25102
Description
The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <4.4.11
Patches
Vulnerability mechanics
References
1- wpscan.com/vulnerability/9b8a00a6-622b-4309-bbbf-fe2c7fc9f8b6nvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.