cbcvebase.
CVE-2023-5089
published 2023-10-16

CVE-2023-5089: The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an…

PriorityP338medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
2.23%
80.6th percentile
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpmudevdefender_security< 4.1.04.1.0

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/?gf_page=randomstring
path/wp-content/plugins/defender-security/
  • Send a GET request to /?gf_page=randomstring; a vulnerable site (with hidden login page enabled) will redirect to wp-login.php and the Location header will contain the encoded string '%2F%3Fgf_page%3Drandomstring&reauth=1', indicating the auth_redirect bypass succeeded.
  • A non-vulnerable (patched) site will NOT have 'wp-login.php' in the Location header for the same request; use absence of 'wp-login.php' in Location as a negative signal when combined with the encoded redirect parameter.
  • Fingerprint vulnerable WordPress installations by searching for the string '/wp-content/plugins/defender-security/' in HTTP response bodies (Shodan, FOFA, PublicWWW).
  • ·The bypass is only exploitable when the 'hide login page' feature of the Defender Security plugin is actively enabled; sites with that feature disabled are not affected.
  • ·The Nuclei template uses a two-condition AND match: the Location header must NOT contain 'wp-login.php' (negative DSL check) AND must contain the encoded redirect string. Both conditions must be true simultaneously to confirm vulnerability — tune detections accordingly to avoid false positives.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.