WordPress Plugin Vulnerabilities
iThemes Security Free (< 7.9.1) & Pro (< 6.8.4) - Hide Backend Bypass
Description
Both the iThemes Security free and pro versions were affected.
- Patched in Version (iThemes Security): 7.9.1
- Patched in Version (iThemes Security Pro): 6.8.4
The bug allowed attackers to bypass the "Hide Backend" feature, that, when enabled, hides the WordPress wp-login.php and wp-admin pages.
This could allow attackers to conduct brute force or other attacks against the "hidden" pages, giving a false sense of security.
This vulnerability was discovered and responsibly disclosed by Julio Potier of SecuPress.
Update to version 7.9.1 of iThemes Security and 6.8.4 of iThemes Security Pro to receive the Hide Backed bypass workaround patch.
Proof of Concept
A POST HTTP request with GET parameters bypassed the "Hide Backend" feature in vulnerable versions: - The HTTP request method is POST - The URL is pointing on wp-login.php - The URL parameter is “action=postpass” (so it’s a GET one) - The BODY parameter is “action=login” (so it’s a POST one) According to the original researcher, "The plugin will read the GET and will let pass since it’s allowed, but WordPress will handle the POST one and will display the login form."
Affects Plugins
Fixed in 6.8.4
Fixed in 7.9.1 References
Miscellaneous
Original Researcher
Julio Potier of SecuPress
Verified
No
WPVDB ID
Timeline
Publicly Published
2021-04-21 (about 3 years ago)
Added
2021-04-21 (about 3 years ago)
Last Updated
2021-04-22 (about 3 years ago)
WPScan 