CVE-2024-6289
WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
El complemento WPS Hide Login WordPress anterior a 1.9.16.4 no impide las redirecciones a la página de inicio de sesión a través de la función auth_redirect de WordPress, lo que permite que un visitante no autenticado acceda a la página de inicio de sesión oculta.
The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.16.3. This is due to the plugin not prevent redirects to the login page when gravity forms is installed. This makes it possible for unauthenticated attackers to find the login page when it has been hidden.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-06-24 CVE Reserved
- 2024-06-24 CVE Published
- 2024-07-17 EPSS Updated
- 2024-08-01 First Exploit
- 2024-08-09 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793 | 2024-08-01 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Unknown Search vendor "Unknown" | WPS Hide Login Search vendor "Unknown" for product "WPS Hide Login" | < 1.9.16.4 Search vendor "Unknown" for product "WPS Hide Login" and version " < 1.9.16.4" | en |
Affected
| ||||||