CVE-2019-15823
Description
The wps-hide-login plugin before 1.5.3 for WordPress allows bypass of its login page protection via crafted requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The wps-hide-login plugin before 1.5.3 for WordPress allows bypass of its login page protection via crafted requests.
Vulnerability
The wps-hide-login plugin for WordPress, versions before 1.5.3, fails to properly restrict access to the default WordPress login page (wp-login.php) and admin area (/wp-admin/). The plugin attempts to hide the login URL but contains multiple protection bypass flaws. Specifically, the plugin checks for the presence of the string action=confirmaction in a request query without proper validation [1][2]. An attacker can include this string in a URL to bypass the plugin's redirection and gain direct access to wp-login.php [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. By simply appending action=confirmaction to any query parameter in a request to wp-login.php, for example https://example.com/wp-login.php?SECUPRESSaction=confirmaction, the plugin's code will include wp-login.php directly, bypassing the intended custom login page [2]. No special network position or user interaction is required beyond the ability to send HTTP requests to the WordPress site.
Impact
Successful exploitation allows an attacker to access the standard WordPress login page. While this alone does not compromise an account, it defeats the security-through-obscurity measure provided by the plugin. This can expose the login form to brute-force attacks, enumeration attempts, and other login-page-based attacks that the plugin was designed to mitigate [1][2].
Mitigation
The vulnerability is fixed in plugin version 1.5.3 [1]. Administrators should update the WPS Hide Login plugin to version 1.5.3 or later immediately. There is no known workaround short of disabling the plugin until it is updated. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/wps-hide-logindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly validate the 'action' parameter in requests, allowing bypass of its login protection mechanism."
Attack vector
An unauthenticated attacker can bypass the plugin's protection by sending a request to the WordPress login page that includes the query parameter 'action=confirmaction' [ref_id=2]. This bypass allows the attacker to access the login page even when the plugin is configured to hide it. The vulnerability is present in versions prior to 1.5.3 [ref_id=2].
Affected code
The vulnerability exists in the file '/classes/plugins.php' on line 427 in versions prior to 1.5.3 [ref_id=2]. The code snippet shows that if the request contains 'action=confirmaction', the plugin would incorrectly include 'wp-login.php', thereby bypassing the intended security.
What the fix does
The patch modifies the plugin's handling of incoming requests to ensure that the 'action=confirmaction' parameter is not sufficient on its own to bypass the protection. By adding more robust checks, the plugin now correctly identifies and blocks unauthorized access attempts to the login page, preventing the bypass vulnerability.
Preconditions
- configThe WPS Hide Login plugin must be installed and activated.
- networkThe attacker must be able to send HTTP requests to the target WordPress site.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/mitrex_refsource_MISC
- wordpress.org/plugins/wps-hide-login/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9469mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.