CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6420 – Hide My WP Ghost < 5.2.02 - Hidden Login Page Disclosure
https://notcve.org/view.php?id=CVE-2024-6420
The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page. El complemento de WordPress Hide My WP Ghost anterior a 5.2.02 no impide las redirecciones a la página de inicio de sesión a través de la función auth_redirect de WordPress, lo que permite que un visitante no autenticado acceda a la página de inicio de sesión oculta. The Hide My WP Ghost – Security & Firewall plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 5.2.01. This is due to the plugin not prevent redirects to the login page when gravity forms is installed. This makes it possible for unauthenticated attackers to find the login page when it has been hidden. • https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4537 – Hide My WP Ghost – Security Plugin <= 5.0.18 - IP Address Spoofing to Protection Mechanism Bypass
https://notcve.org/view.php?id=CVE-2022-4537
The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in. • https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131 https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132 https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve • CWE-345: Insufficient Verification of Data Authenticity CWE-348: Use of Less Trusted Source •