.. / CVE-2024-6289

Exploit for WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure (CVE-2024-6289)

Description:

The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.

Nuclei Template

View the template here CVE-2024-6289.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2024/CVE-2024-6289.yaml
Copy

References:

https://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms/
https://wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793/
https://nvd.nist.gov/vuln/detail/CVE-2024-6289