CVE-2019-15824
Description
The wps-hide-login plugin before 1.5.3 allows bypassing admin access restrictions via the 'adminhash' GET parameter, exposing wp-admin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The wps-hide-login plugin before 1.5.3 allows bypassing admin access restrictions via the 'adminhash' GET parameter, exposing wp-admin.
Vulnerability
The wps-hide-login plugin for WordPress versions before 1.5.3 contains an authentication bypass vulnerability in the adminhash protection mechanism. The flaw resides in file /classes/plugins.php at lines 477-480. When the plugin checks for admin access, it redirects non-logged-in users away from wp-admin, but the code includes a condition that if the adminhash parameter is present in the URL ($_GET['adminhash']), the redirect is skipped, allowing direct access to the admin dashboard [2]. No special configuration beyond installing the plugin is required for the vulnerable code path to be reachable.
Exploitation
An unauthenticated attacker can exploit this bypass simply by appending ?adminhash=1 (or any non-empty value) to a URL pointing to the WordPress admin area, for example https://example.com/wp-admin/?adminhash=1 [2]. No authentication, user interaction, or specific network position is needed. The attacker only needs to know the site's WordPress address; the adminhash parameter triggers the bypass regardless of the plugin's custom login URL.
Impact
Successful exploitation grants the attacker unrestricted access to the WordPress admin dashboard (/wp-admin/) without requiring any credentials [2]. This effectively bypasses the plugin's core security feature that hides the login URL and restricts admin access. An attacker with admin panel access can then perform any administrative action, including modifying themes/plugins, creating new admin users, or injecting malicious content, leading to complete site compromise.
Mitigation
A fix was released in version 1.5.3 of the wps-hide-login plugin [1]. Users should immediately update to version 1.5.3 or later through the WordPress plugin repository. As of the publication date (2019-08-30), no workarounds were documented; the only mitigation is to upgrade the plugin. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/wps-hide-logindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly validate certain URL parameters, allowing unauthenticated users to bypass the login protection."
Attack vector
An unauthenticated attacker can bypass the WPS Hide Login protection by crafting a specific URL. By including the parameter `adminhash` in the URL, an attacker can gain access to the login page, even if it has been renamed by the plugin [ref_id=2]. Another bypass involves using the `action=confirmaction` parameter in the URL, which also allows access to the login page [ref_id=2]. Additionally, a bypass exists for password-protected posts by sending a POST request with the `post_password` parameter and a crafted `Referer` header containing 'wp-login.php' [ref_id=2].
Affected code
The vulnerabilities are located in the `/classes/plugins.php` and `/classes/plugin.php` files. Specifically, lines 427 and 477-480 in `/classes/plugins.php`, and lines 653-656 and 563 in `/classes/plugin.php` are involved in the bypass mechanisms [ref_id=2].
What the fix does
The patch addresses the bypass vulnerabilities by adding more robust checks to the plugin's logic. Specifically, it ensures that the `adminhash` parameter is not sufficient on its own to grant access and that other bypass conditions, such as the `action=confirmaction` parameter, are properly handled. These changes prevent unauthenticated users from accessing the login page through these specific URL manipulations.
Preconditions
- configThe WPS Hide Login plugin must be installed and activated.
- inputThe attacker needs to know the base URL of the WordPress site.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/mitrex_refsource_MISC
- wordpress.org/plugins/wps-hide-login/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9469mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.