Both the iThemes Security free and pro versions were affected.
- Patched in Version (iThemes Security): 7.9.1
- Patched in Version (iThemes Security Pro): 6.8.4
The bug allowed attackers to bypass the "Hide Backend" feature, that, when enabled, hides the WordPress wp-login.php and wp-admin pages.
This could allow attackers to conduct brute force or other attacks against the "hidden" pages, giving a false sense of security.
This vulnerability was discovered and responsibly disclosed by Julio Potier of SecuPress.
Update to version 7.9.1 of iThemes Security and 6.8.4 of iThemes Security Pro to receive the Hide Backed bypass workaround patch.
Proof of Concept
A POST HTTP request with GET parameters bypassed the "Hide Backend" feature in vulnerable versions:
- The HTTP request method is POST
- The URL is pointing on wp-login.php
- The URL parameter is “action=postpass” (so it’s a GET one)
- The BODY parameter is “action=login” (so it’s a POST one)
According to the original researcher, "The plugin will read the GET and will let pass since it’s allowed, but WordPress will handle the POST one and will display the login form."