WordPress Plugin Vulnerabilities

Hide My WP < 6.2.4 - Unauthenticated Plugin Deactivation

Description

The plugin does not have any authorisation check when outputing a reset token, which could then be used to deactivate the plugin via another request

Affects Plugins

Plugin icon
hide_my_wp
Fixed in 6.2.4

References

CVE
CVE-2021-36917

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
1d5bbf1e-048a-407b-8d80-cbb77438270d

Timeline

Publicly Published
2021-11-24 (about 4 years ago)
Added
2021-11-24 (about 4 years ago)
Last Updated
2022-04-10 (about 3 years ago)

Other

Published
Title
Published
2025-11-06
Title
Feeds for YouTube < 2.6.1 - Missing Authorization
Published
2024-04-22
Title
WordPress Backup & Migration < 1.4.9 - Missing Authorization to Directory Traversal
Published
2023-03-10
Title
RapidLoad Power-Up for Autoptimize < 1.7.2 - Unauthorised AJAX Calls
Published
2024-05-17
Title
Fastly < 1.2.26 - Missing Authorization via AJAX actions
Published
2025-05-16
Title
Acerola <= 1.6.5 - Missing Authorization