CVE-2015-9498
Description
CSRF in wps-hide-login plugin before 1.1 for WordPress allows attackers to change plugin options via crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in wps-hide-login plugin before 1.1 for WordPress allows attackers to change plugin options via crafted request.
Vulnerability
The wps-hide-login plugin for WordPress versions before 1.1 is vulnerable to Cross-Site Request Forgery (CSRF) when saving an option value. This allows an attacker to trick an authenticated administrator into unknowingly submitting a request that modifies plugin settings, such as the custom login URL.
Exploitation
An attacker can craft a malicious link or form that, when visited by an administrator, triggers a CSRF request to the WordPress admin area, altering the plugin's options. No authentication is required on the attacker's part, but the victim must have administrator privileges and be logged in.
Impact
Successful exploitation enables the attacker to change the plugin's configuration, potentially redirecting users to malicious URLs or breaking the login functionality. This can lead to denial of service, phishing attacks, or unauthorized access if the login URL is modified.
Mitigation
The vulnerability is fixed in version 1.1 of the wps-hide-login plugin. Users should update to version 1.1 or later (current version is 1.9.18). No workaround is available; updating the plugin is the recommended mitigation [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/wps-hide-login plugindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF nonce validation on the option‑saving action allows an attacker to change the plugin’s settings via a forged cross‑site request."
Attack vector
An attacker can craft a malicious link or page that, when visited by an authenticated WordPress administrator, silently submits a forged request to the plugin’s settings page. Because the plugin lacked a Cross‑Site Request Forgery (CSRF) nonce check, the attacker can change the custom login URL (the `whl_page` option) without the administrator’s consent. This could lock the administrator out of the admin area or redirect legitimate login traffic to an attacker‑controlled location. [ref_id=1]
Affected code
The vulnerability is in the settings‑saving routine of the wps‑hide‑login plugin (versions before 1.1). The advisory does not name a specific function or file path, but the changelog entry for version 1.1 states: "Fix : CSRF security issue when saving option value in single site and multisite mode." [ref_id=1]
What the fix does
Version 1.1 added a CSRF nonce check to the option‑saving endpoint, preventing unauthenticated cross‑site requests from altering the plugin’s settings. The changelog notes: "Fix : CSRF security issue when saving option value in single site and multisite mode." The same release also moved the option from the Permalinks page to the General settings page because `register_setting` does not work on the Permalinks page, which further hardened the save flow. [ref_id=1]
Preconditions
- inputThe attacker must trick a logged‑in WordPress administrator into visiting a malicious page or clicking a crafted link.
- configThe target site must be running wps‑hide‑login version 1.0 or earlier.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wordpress.org/plugins/wps-hide-login/mitrex_refsource_CONFIRM
- wpvulndb.com/vulnerabilities/8011mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.