Platform
wordpress
Component
wps-hide-login
Fixed in
1.9.16
CVE-2024-2473 describes a Login Page Disclosure vulnerability in the WPS Hide Login WordPress plugin. This flaw allows attackers to bypass the plugin's intended functionality and discover hidden login pages, potentially leading to unauthorized access attempts. The vulnerability affects versions up to and including 1.9.15.2. No official patch is currently available to address this issue.
CVE-2024-2473 affects the WPS Hide Login plugin for WordPress, creating a Login Page Disclosure vulnerability. This is due to a bypass created when the 'action=postpass' parameter is supplied. Attackers can easily discover any login page that may have been hidden by the plugin, regardless of authentication. The CVSS score of 5.3 indicates a moderate risk, but the ease of exploitation makes it a significant concern for websites relying on this plugin for enhanced security. Exposure of the login form can facilitate brute-force attacks and credential theft, compromising website integrity and user data confidentiality. Updating the plugin is crucial to mitigate this risk.
Exploitation of CVE-2024-2473 is relatively straightforward. An attacker can simply append the 'action=postpass' parameter to the website's URL. For example, if the original URL is 'https://example.com/wp-login.php', an attacker could use 'https://example.com/wp-login.php?action=postpass' to reveal the location of the hidden login form. No authentication is required to exploit this vulnerability. The ease of exploitation means attackers can automate the process of discovering vulnerable sites. Once the login form is discovered, the attacker may attempt brute-force attacks to guess user credentials.
Exploit Status
EPSS
11.76% (94% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2024-2473 is to update the WPS Hide Login plugin to the latest version (greater than 1.9.15.2). The developer has released an update that addresses the bypass vulnerability. Additionally, review the plugin’s configuration to ensure best security practices are in place. Consider implementing additional security measures, such as two-factor authentication (2FA) for users, to further strengthen protection against attacks. Regularly monitoring server logs for suspicious activity related to unauthorized login attempts is an important preventative practice. If an immediate update isn't possible, temporarily disabling the plugin until the update can be applied is a viable option.
Actualice el plugin WPS Hide Login a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores o iguales a 1.9.15.2. La actualización corregirá el problema de divulgación de la página de inicio de sesión.
Vulnerability analysis and critical alerts directly to your inbox.
It's a WordPress plugin that allows you to hide the default login page to improve security.
The update fixes a vulnerability that allows attackers to find the hidden login page, making attacks easier.
Disabling the plugin temporarily is an option until you can update it.
Implementing two-factor authentication (2FA) and monitoring server logs are good practices.
It's important to stay updated on the latest security news regarding WordPress and the plugins you use.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.