Apache httpd versions 2.4.0 to 2.4.39 are vulnerable to a mod_rewrite open redirect vulnerability.
Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
The issue was discovered by Yukitsugu Sasaki.
Upgrade to the latest version of Apache. This issue was fixed in Apache httpd 2.4.41.
WordPress Plugin Registration Forms-User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Open Redirect (22.214.171.124)
WordPress Plugin WordPress Download Manager Open Redirect (2.9.50)
WordPress 4.6.x Multiple Vulnerabilities (4.6 - 4.6.14)
WordPress Plugin The Plus Addons for Elementor Open Redirect (4.1.9)