cbcvebase.
CVE-2023-3139
published 2023-07-04

CVE-2023-3139: The Protect WP Admin WordPress plugin before 4.0 discloses the URL of the admin panel via a redirection of a crafted URL, bypassing the protection offered.

PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.73%
49.5th percentile
The Protect WP Admin WordPress plugin before 4.0 discloses the URL of the admin panel via a redirection of a crafted URL, bypassing the protection offered.

Affected

1 ranges
VendorProductVersion rangeFixed in
wp-expertsprotect_wp_admin< 4.04.0

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/protect-wp-admin/readme.txt
path/wp-content/plugins/protect-wp-admin/
  • Exploitation confirmed by a GET to /wp-login.php?action=lostpassword&error=invalidkey returning HTTP 301 with a Location header containing '?action=lostpassword&error=invalidkey', leaking the protected admin panel URL
  • The redirect Location header reveals the hidden admin panel URL; extract it with regex 'Location:([ a-z:/0-9.?=&]+)'
  • Use Shodan/FOFA/PublicWWW to enumerate exposed instances via plugin path in HTML body
  • ·The bypass requires only a single unauthenticated GET request (max-request: 1 for the exploit step); no authentication or special headers needed
  • ·The vulnerability is fixed in plugin version 4.0 and later; versions strictly below 4.0 are affected

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.