WordPress Plugin Vulnerabilities

WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure

Description

The plugin does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.

Proof of Concept

Affects Plugins

Plugin icon
wps-hide-login
Fixed in 1.9.16.4

References

CVE
CVE-2024-6289
URL
https://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
3.7 (low)

Miscellaneous

Original Researcher
Juan Pablo Gomez Postigo
Submitter
Juan Pablo Gomez Postigo
Submitter website
https://www.sprocketsecurity.com/resources
Submitter twitter
jpgp__/
Verified
Yes
WPVDB ID
fd6d0362-df1d-4416-b8b5-6e5d0ce84793

Timeline

Publicly Published
2024-06-24 (about 1 year ago)
Added
2024-06-25 (about 1 year ago)
Last Updated
2024-06-25 (about 1 year ago)

Other

Published
Title
Published
2024-08-08
Title
PDF Builder for WPForms < 1.2.117 - Unauthenticated Full Path Disclosure
Published
2025-12-12
Title
Brizy – Page Builder < 2.7.17 - Contributor+ Sensitive Information Exposure
Published
2025-03-24
Title
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy < 3.3.7 - Unauthenticated Private Post Title Disclosure
Published
2024-08-14
Title
ElementsKit Pro < 3.6.7 - Authenticated (Contributor+) Sensitive Information Exposure
Published
2025-01-06
Title
Korea for WooCommerce < 1.1.12 - Authenticated (Subscriber+) Sensitive Information Exposure