CVE-2023-5089
published 2023-10-16CVE-2023-5089: The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an…
PriorityP338medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
2.23%
80.6th percentile
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpmudev | defender_security | < 4.1.0 | 4.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /?gf_page=randomstring; a vulnerable site (with hidden login page enabled) will redirect to wp-login.php and the Location header will contain the encoded string '%2F%3Fgf_page%3Drandomstring&reauth=1', indicating the auth_redirect bypass succeeded. ↗
- →A non-vulnerable (patched) site will NOT have 'wp-login.php' in the Location header for the same request; use absence of 'wp-login.php' in Location as a negative signal when combined with the encoded redirect parameter. ↗
- →Fingerprint vulnerable WordPress installations by searching for the string '/wp-content/plugins/defender-security/' in HTTP response bodies (Shodan, FOFA, PublicWWW). ↗
- ·The bypass is only exploitable when the 'hide login page' feature of the Defender Security plugin is actively enabled; sites with that feature disabled are not affected. ↗
- ·The Nuclei template uses a two-condition AND match: the Location header must NOT contain 'wp-login.php' (negative DSL check) AND must contain the encoded redirect string. Both conditions must be true simultaneously to confirm vulnerability — tune detections accordingly to avoid false positives. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
nuclei·CVSS 5.3
CVE-2023-5089 [MEDIUM] Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.
Template:
id: CVE-2023-5089
info:
name: Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
author: jpg0mez
severity: medium
description: |
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.
impact: |
Unauthenticated attacker
No writeups or analysis indexed.
https://wpscan.com/vulnerability/2b547488-187b-44bc-a57d-f876a7d4c87dhttps://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityformshttps://wpscan.com/vulnerability/2b547488-187b-44bc-a57d-f876a7d4c87dhttps://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms
2023-10-16
Published