CVE-2024-6420
Hide My WP Ghost < 5.2.02 - Hidden Login Page Disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
El complemento de WordPress Hide My WP Ghost anterior a 5.2.02 no impide las redirecciones a la página de inicio de sesión a través de la función auth_redirect de WordPress, lo que permite que un visitante no autenticado acceda a la página de inicio de sesión oculta.
The Hide My WP Ghost – Security & Firewall plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 5.2.01. This is due to the plugin not prevent redirects to the login page when gravity forms is installed. This makes it possible for unauthenticated attackers to find the login page when it has been hidden.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-07-01 CVE Reserved
- 2024-07-02 CVE Published
- 2024-08-01 First Exploit
- 2024-08-09 CVE Updated
- 2024-11-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44 | 2024-08-01 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Unknown Search vendor "Unknown" | Hide My WP Ghost Search vendor "Unknown" for product "Hide My WP Ghost" | < 5.2.02 Search vendor "Unknown" for product "Hide My WP Ghost" and version " < 5.2.02" | en |
Affected
| ||||||