Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#28469 closed defect (bug) (invalid)

Open Redirect Vulnerability in WordPress's WP Login Plugin (wp-login.php) (CVE-2014-2229)

Reported by: blackswallow's profile blackswallow Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: ui Cc:


However, I found that "wp-login.php" has an open redirection vulnerability. That means WP login plugin is vulnerable.

It is assigned CVE-2014-2229.

WP Login is one the most powerful WordPress login plugin and it is widely used, i.e. [1]

However, I found that "wp-login.php" has an open redirection vulnerability. That means WP login plugin is vulnerable.

The vulnerability exists at "wp-login.php" page with "redirect_to" parameter, e.g.

(1) When a user click the URL ([1]) above, the "WordPress login" page appears. The user needs to enter his/her username and password. When this is done, the user is redirected to a webpage belonging to the website that installs "WP Login" plugin.

However, it seems that "WP Login" allows some other domains, i.e.

Now, a user could be redirected from "WP login" to a vulnerable URL in google first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from "WP login" directly.

My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

(2) I will use the following tests to illustrate the scenario I painted above.

The redirected webpage address is "". It's one of my webpages. We can suppose that this webpage is malicious.

Vulnerable URL:


I have made a POC video for illustration. The video is available upon request.

Change History (1)

#1 @nacin
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

When creating this ticket, was "Do not report potential security vulnerabilities here. See the Security FAQ and contact security@…." not noticeable? Honest question. If you have JavaScript enabled, you additionally would have needed to click a checkbox affirming "I am not reporting a security issue — report security issues to security@…".

I'm dealing with this through proper channels to reflect that the issue is the "WP Login" plugin. That plugin does indeed have a "wp-login.php" file, unrelated to WordPress core's "wp-login.php" file. Your report doesn't make it very clear, but WordPress core is not affected by this. I don't know through what means you requested CVE-2014-2229 but if it is classified as a vulnerability in WordPress, it will be inaccurate.

For future reference, any plugin issues can be emailed to plugins@…. Had security@… been emailed, it would have been forwarded there.

Note: See TracTickets for help on using tickets.