CVE-2021-24917
published 2021-12-06CVE-2021-24917: The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to…
PriorityP272high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
71.53%
99.3th percentile
The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpserveur | wps_hide_login | < 1.9.1 | 1.9.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /wp-admin/options.php HTTP/1.1
Host: {{Hostname}}
Referer: something
- →Send an unauthenticated GET request to /wp-admin/options.php with any arbitrary Referer header value; a redirect response containing 'redirect_to=%2Fwp-admin%2F<something>&reauth=1' in the Location header reveals the hidden login page path. ↗
- →In the HTTP response Location header, look for the pattern 'redirect_to=%2Fwp-admin%2F<value>&reauth=1' — the <value> segment discloses the secret login page path configured by WPS Hide Login.
- →A successful exploit response Location header will NOT contain 'wp-login.php', distinguishing the hidden login path from the default WordPress login.
- →The vulnerability affects WPS Hide Login plugin versions <= 1.9 (before 1.9.1); scan for this plugin version on WordPress sites as a prioritisation signal. ↗
- ·The Referer header value is arbitrary — any random string triggers the bypass; no specific Referer value is required for exploitation. ↗
- ·The exploit is a single unauthenticated GET request; no authentication, session, or prior enumeration is needed, making it trivially scriptable at scale.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
WordPress WPS Hide Login Login Page Revealer
metasploit
WordPress WPS Hide Login Login Page Revealer
WordPress WPS Hide Login Login Page Revealer
This module exploits a bypass issue with WPS Hide Login version <= 1.9. WPS Hide Login is used to make a new secret path to the login page, however a 'GET' request to '/wp-admin/options.php' with a referer will reveal the hidden path.
Nuclei
WordPress WPS Hide Login <1.9.1 - Information Disclosure
nuclei·CVSS 7.5
CVE-2021-24917 [HIGH] WordPress WPS Hide Login <1.9.1 - Information Disclosure
WordPress WPS Hide Login <1.9.1 - Information Disclosure
WordPress WPS Hide Login plugin before 1.9.1 is susceptible to incorrect authorization. An attacker can obtain the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. This reveals the secret login location.
Template:
id: CVE-2021-24917
info:
name: WordPress WPS Hide Login <1.9.1 - Information Disclosure
author: akincibor
severity: high
description: WordPress WPS Hide Login plugin before 1.9.1 is susceptible to incorrect authorization. An attacker can obtain the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. This reveals the secret login location.
impact: |
An attacker can gain
No writeups or analysis indexed.
2021-12-06
Published