WordPress Plugin Vulnerabilities
Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
Description
The plugin does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.
Proof of Concept
Example using GravityForms to redirect to the login page: https://example.com/?gf_page=randomstring
Affects Plugins
References
Miscellaneous
Original Researcher
Juan Pablo Gomez Postigo
Submitter
Juan Pablo Gomez Postigo
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-06 (about 8 months ago)
Added
2023-09-20 (about 7 months ago)
Last Updated
2023-09-20 (about 7 months ago)