CVE-2024-6289 – WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure

https://notcve.org/view.php?id=CVE-2024-6289

The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page. El complemento WPS Hide Login WordPress anterior a 1.9.16.4 no impide las redirecciones a la página de inicio de sesión a través de la función auth_redirect de WordPress, lo que permite que un visitante no autenticado acceda a la página de inicio de sesión oculta. The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.16.3. This is due to the plugin not prevent redirects to the login page when gravity forms is installed. This makes it possible for unauthenticated attackers to find the login page when it has been hidden. • https://wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •