Defender Security < 4.1.0 – Protection Bypass (Hidden Login Page) | CVE 2023-5089

Description

The plugin does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.

Proof of Concept

Example using GravityForms to redirect to the login page:

https://example.com/?gf_page=randomstring

Affects Plugins

defender-security

Fixed in 4.1.0

References

CVE

CVE-2023-5089

URL

https://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms

Miscellaneous

Original Researcher

Juan Pablo Gomez Postigo

Submitter

Juan Pablo Gomez Postigo

Submitter website

https://www.sprocketsecurity.com/resources

Submitter twitter

jpgp__

Verified

Yes

WPVDB ID

2b547488-187b-44bc-a57d-f876a7d4c87d

Timeline

Publicly Published

2023-09-06 (about 2 years ago)

Added

2023-09-20 (about 2 years ago)

Last Updated

2023-09-20 (about 2 years ago)

Other

Published

Title

Published

2021-08-05

Title

User Rights Access Manager < 1.0.8 - Access Restriction Bypass

Published

2015-01-22

Title

Pagelines Theme <= 1.4.5 - Privilege escalation

Published

2019-09-18

Title

Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export

Published

2020-10-29

Title

WordPress < 5.5.2 - Disable Spam Embeds from Disabled Sites on a Multisite Network

Published

2025-07-24

Title

PPWP < 1.9.11 - Subscriber+ Access Bypass via REST API