WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

iThemes Security Free (< 7.9.1) & Pro (< 6.8.4) - Hide Backend Bypass

Description

Both the iThemes Security free and pro versions were affected.

- Patched in Version (iThemes Security): 7.9.1
- Patched in Version (iThemes Security Pro): 6.8.4

The bug allowed attackers to bypass the "Hide Backend" feature, that, when enabled, hides the WordPress wp-login.php and wp-admin pages.

This could allow attackers to conduct brute force or other attacks against the "hidden" pages, giving a false sense of security.

This vulnerability was discovered and responsibly disclosed by Julio Potier of SecuPress.

Update to version 7.9.1 of iThemes Security and 6.8.4 of iThemes Security Pro to receive the Hide Backed bypass workaround patch.

Proof of Concept

A POST HTTP request with GET parameters bypassed the "Hide Backend" feature in vulnerable versions:

- The HTTP request method is POST
- The URL is pointing on wp-login.php
- The URL parameter is “action=postpass” (so it’s a GET one)
- The BODY parameter is “action=login” (so it’s a POST one)

According to the original researcher, "The plugin will read the GET and will let pass since it’s allowed, but WordPress will handle the POST one and will display the login form." 

Affects Plugins

ithemes-security-pro
Fixed in version 6.8.4
better-wp-security
Fixed in version 7.9.1

References

URL
https://secupress.me/blog/ithemes-security-7-9-1-hide-backend-bypass/
URL
https://plugins.trac.wordpress.org/changeset/2515054/better-wp-security

Classification

Type

BYPASS

Miscellaneous

Original Researcher

Julio Potier of SecuPress

Verified

No

WPVDB ID
42fdb534-3aef-4ed7-94a8-4cfe8ff977e1

Timeline

Publicly Published

2021-04-21 (about 1 years ago)

Added

2021-04-21 (about 1 years ago)

Last Updated

2021-04-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us