WordPress Plugin Vulnerabilities

WPS Hide Login < 1.9.16 - Login Page Disclosure

Description

The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login page that may have been hidden by the plugin.

Affects Plugins

Plugin icon
wps-hide-login
Fixed in 1.9.16

References

CVE
CVE-2024-2473
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fd21c7d3-a5f1-4c3a-b6ab-0a979f070a62

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nicholas Mun (NRockhouse), whattheslime
Verified
No
WPVDB ID
9313dd52-5488-401c-8f59-ef6014003048

Timeline

Publicly Published
2024-06-10 (about 1 year ago)
Added
2024-06-11 (about 1 year ago)
Last Updated
2024-06-11 (about 1 year ago)

Other

Published
Title
Published
2023-06-05
Title
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
Published
2024-08-21
Title
Themify Builder < 7.6.2 - Missing Authorization to Authenticated (Contributor+) Post Duplication
Published
2024-03-01
Title
GenerateBlocks < 1.8.3 - Contributor+ Arbitrary Draft/Private Post Access
Published
2024-04-25
Title
WP Time Slots Booking Form < 1.2.07 - Unauthenticated Price Manipulation
Published
2025-12-16
Title
Ultimate Member < 2.11.1 - Authenticated (Subscriber+) Profile Privacy Setting Bypass