CVE-2019-15825
Description
A login protection bypass in wps-hide-login before 1.5.3 allows unauthenticated access to wp-login.php via crafted request parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A login protection bypass in wps-hide-login before 1.5.3 allows unauthenticated access to wp-login.php via crafted request parameters.
Vulnerability
The WPS Hide Login plugin for WordPress versions before 1.5.3 contains a login protection bypass vulnerability. The plugin normally hides the standard wp-login.php URL to prevent unauthorized access. However, in a specific code path (/classes/plugin.php, lines 653‑656), if the request contains the query parameters action=rp, key, and login, the plugin redirects to the custom login URL but fails to properly block access to wp-login.php. This bypass is triggered only when the WooCommerce plugin is also active [2]. The vulnerability exists in the plugin's handling of password reset (rp) requests.
Exploitation
An attacker needs no authentication and only network access to the WordPress site. The WooCommerce plugin must be active. The attacker crafts a URL such as https://example.com?action=rp&key&login and sends it to the server. Because the vulnerable condition in /classes/plugin.php does not block the request, the attacker can access the standard WordPress login page at wp-login.php even though the plugin is supposed to hide it. No further privileges or special timings are required [2].
Impact
A successful bypass allows an attacker to reach the standard WordPress login form, undermining the plugin's obfuscation of the login URL. This exposes the site to brute‑force attacks, enumeration attempts, and other login‑page exploits that the plugin was designed to prevent. The attacker does not gain direct access to an account solely through this bypass but can now attempt to log in or leverage other login‑page vulnerabilities. The confidentiality and integrity of the site are indirectly threatened by the increased attack surface [2].
Mitigation
The vulnerability is fixed in version 1.5.3 of the WPS Hide Login plugin, as indicated in the CVE description [1]. Users should update to at least this version. No workarounds are documented; since the vulnerability requires WooCommerce, disabling WooCommerce is not a practical mitigation for most affected sites. The plugin is actively maintained and later versions include the fix [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/wps-hide-login plugindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly validate parameters in certain URL requests, allowing bypass of the login protection mechanism."
Attack vector
An attacker can bypass the login protection by crafting a specific URL. For instance, including `action=rp&key&login` in the query string allows access to the login page even when the plugin is active [ref_id=2]. This bypass is particularly effective when WooCommerce is also activated [ref_id=2].
Affected code
The vulnerability exists in the file `/classes/plugin.php` within the WPS Hide Login plugin. Specifically, lines 653-656 in version 1.5.2.2 handle the redirection logic for the login URL, which is bypassed by the described attack vector [ref_id=2].
What the fix does
The patch addresses the vulnerability by adding more robust checks for specific action parameters in the URL. Specifically, it ensures that the `action=rp` parameter is only processed if the `key` and `login` parameters are also present, preventing unauthorized access to the login page [ref_id=2]. This change prevents the plugin from incorrectly redirecting to the new login URL under these conditions.
Preconditions
- configThe WPS Hide Login plugin must be installed and active.
- configWooCommerce plugin must be activated for the specific bypass vector to apply [ref_id=2].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/mitrex_refsource_MISC
- wordpress.org/plugins/wps-hide-login/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9469mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.