WordPress Plugin Vulnerabilities

LWS Hide Login < 2.1.9 - Protection Mechanism Bypass

Description

The LWS Hide Login plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 2.1.8. This is due to the fact that attackers can bypass the hidden login page by visiting install.php. This makes it possible for unauthenticated attackers to login to the site even when the login page has been hidden.

Affects Plugins

Plugin icon
lws-hide-login
Fixed in 2.1.9

References

CVE
CVE-2023-47818
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/532cffdb-16e8-4ced-9477-483c96db343c

Miscellaneous

Original Researcher
Naveen Muthusamy
Verified
No
WPVDB ID
ae6da7ba-118a-4282-bf89-25f2128e02ba

Timeline

Publicly Published
2023-11-16 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-11-24 (about 2 years ago)

Other

Published
Title
Published
2015-05-26
Title
Estrutura-Basica - Local File Download
Published
2019-02-02
Title
Meta Box < 4.16.3 - Unauthorised File Deletion
Published
2022-05-17
Title
iQ Block Country < 1.2.20 - Protection Bypass due to IP Spoofing
Published
2022-08-17
Title
Titan Anti-spam & Security < 7.3.1 - Protection Bypass due to IP Spoofing
Published
2026-02-17
Title
Passster < 4.2.24 - Password Protection Bypass