WordPress Plugin Vulnerabilities

HC Custom WP-Admin URL <= 1.4 - Unauthenticated Secret URL Disclosure

Description

The plugin leaks the secret login URL when sending a specific crafted request

Proof of Concept

Affects Plugins

Plugin icon
hc-custom-wp-admin-url
No known fix

References

CVE
CVE-2022-1595

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
0218c90c-8f79-4f37-9a6f-60cf2f47d47b

Timeline

Publicly Published
2022-05-18 (about 3 years ago)
Added
2022-05-18 (about 3 years ago)
Last Updated
2023-02-10 (about 2 years ago)

Other

Published
Title
Published
2018-10-02
Title
Wordfence < 7.1.14 - Username Enumeration Prevention Bypass
Published
2023-11-16
Title
AppPresser < 4.3.0 - Insecure Password Reset Mechanism
Published
2022-12-12
Title
WP Cerber < 9.3.3 - User Enumeration Bypass via Rest API
Published
2024-04-22
Title
Appointment Hour Booking < 1.4.57 - Captcha Bypass
Published
2020-05-19
Title
WP Frontend Profile < 1.2.2 - CSRF Check Incorrectly Implemented