WordPress Plugin Vulnerabilities

Hide My WP Ghost < 5.4.01 - Hidden Login Page Disclosure

Description

The plugin is vulnerable to Login Page Dislcosure due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location.

Affects Plugins

Plugin icon
hide-my-wp
Fixed in 5.4.01

References

CVE
CVE-2024-13794
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9effa526-7454-4490-9bf4-0605254d6625

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nicholas Mun (NRockhouse)
Verified
No
WPVDB ID
c2b42199-ef25-41aa-a649-97bd8442a707

Timeline

Publicly Published
2025-02-11 (about 1 year ago)
Added
2025-02-12 (about 1 year ago)
Last Updated
2025-02-12 (about 1 year ago)

Other

Published
Title
Published
2025-09-22
Title
WP Project Manager < 2.6.26 - Unauthenticated Sensitive Information Exposure
Published
2025-07-21
Title
Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure
Published
2026-01-13
Title
LottieFiles – Lottie block for Gutenberg < 3.1.0 - Unauthenticated Sensitive Information Exposure
Published
2021-08-26
Title
PostX Gutenberg Blocks Saved Templates Addon < 2.4.10 - Private Content Disclosure
Published
2025-03-31
Title
GTM Kit < 2.4.1 - Unauthenticated Sensitive Information Exposure