WordPress Plugin Vulnerabilities

Ultimate Dashboard < 3.7.11 - Login Page Disclosure on Multi-site

Description

The plugin is vulnerable to secret login page disclosure, allowing unauthenticated attackers to discover the secret login page URL on multi-site instances

Affects Plugins

Plugin icon
ultimate-dashboard
Fixed in 3.7.11

References

CVE
CVE-2023-49822
URL
https://patchstack.com/database/vulnerability/ultimate-dashboard/wordpress-ultimate-dashboard-plugin-3-7-10-secret-login-page-location-disclosure-on-multisites-vulnerability

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Naveen Muthusamy
Verified
No
WPVDB ID
75d3b22a-92d9-4e49-8345-958fbb78e397

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2023-12-12 (about 2 years ago)
Last Updated
2023-12-12 (about 2 years ago)

Other

Published
Title
Published
2025-06-05
Title
Foxit eSign for WordPress <= 2.0.3 - Authenticated (Admin+) Information Exposure
Published
2024-10-21
Title
Schema & Structured Data for WP & AMP < 1.36 - Unauthenticated Sensitive Information Exposure
Published
2024-02-02
Title
Total Upkeep < 1.15.9 - Improper Authorization to Unauthenticated Arbitrary File Download
Published
2024-08-09
Title
myCred < 2.7.3 - Unauthenticated Information Exposure
Published
2023-04-10
Title
Download Manager Pro < 6.3.0 - Unauthenticated Sensitive Information Disclosure