CVE-2019-15826
Description
The WPS Hide Login plugin before 1.5.3 allows bypassing the renamed login URL by using the word 'wp-login.php' in the Referer header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WPS Hide Login plugin before 1.5.3 allows bypassing the renamed login URL by using the word 'wp-login.php' in the Referer header.
Vulnerability
The WPS Hide Login plugin for WordPress, versions before 1.5.3, contains a protection bypass vulnerability. The plugin attempts to hide the default WordPress login page by renaming the login URL. However, it fails to properly validate the Referer header, allowing an attacker to access the standard wp-login.php page by including the string "wp-login.php" anywhere in the Referer field of an HTTP request. The vulnerability is present in the plugin's code that checks the Referer header, as described in reference [2].
Exploitation
An attacker can exploit this vulnerability by sending an HTTP request to https://example.com/wp-login.php?action=postpass (or a similar endpoint) with a crafted Referer header containing the string "wp-login.php". The attack requires no authentication and can be performed remotely. The attacker simply needs to manipulate the Referer header in their HTTP request; no special network position or user interaction is needed. The WordPress core will then process the request and allow access to the login page due to the flawed Referer check in the plugin.
Impact
Successful exploitation allows an attacker to bypass the hidden login URL protection and access the standard WordPress login page (wp-login.php). This exposes the login form, which can then be used for brute-force attacks or other credential-based attacks against the site. The impact is a bypass of a security-by-obscurity measure, increasing the attack surface for the WordPress site.
Mitigation
Users should update the WPS Hide Login plugin to version 1.5.3 or later, which contains the fix for this vulnerability. As of the publication date, version 1.5.3 was the patched release [1]. Administrators should ensure automatic updates are enabled for the plugin. There is no known workaround for sites running older versions, as the vulnerability is in the core logic of the plugin.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/wps-hide-login plugindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly validate the Referer header, allowing an attacker to bypass login protection."
Attack vector
An attacker can bypass the WPS Hide Login protection by sending a POST request to `https://example.com/wp-login.php?action=postpass` with a crafted `Referer` header containing `wp-login.php` [ref_id=2]. This causes the plugin to incorrectly validate the request, allowing access to the login page even when it should be protected. The vulnerability is present in versions prior to 1.5.3.
Affected code
The vulnerability exists in the file `/classes/plugin.php` within the WPS Hide Login plugin. Specifically, the code at line 563 checks if the `Referer` header contains the string 'wp-login.php', which is insufficient for proper security [ref_id=2]. This check is part of the logic that handles requests to the login page.
What the fix does
Version 1.5.3 addresses the vulnerability by improving the validation of the `Referer` header. The patch ensures that the `Referer` header is not simply checked for the presence of `wp-login.php`, but is more rigorously validated to prevent bypasses. This change prevents unauthenticated users from accessing the login page by manipulating the `Referer` field [ref_id=2].
Preconditions
- configThe WPS Hide Login plugin must be installed and activated.
- networkThe attacker must be able to send HTTP requests to the target WordPress site.
- inputThe attacker must be able to control the `Referer` header of an HTTP request.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/mitrex_refsource_MISC
- wordpress.org/plugins/wps-hide-login/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9469mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.