CVE-2021-3332
Description
WPS Hide Login 1.6.1 bypasses its protection when a post_password field is present in a POST request to the default login URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WPS Hide Login 1.6.1 bypasses its protection when a `post_password` field is present in a POST request to the default login URL.
Vulnerability
The WPS Hide Login plugin version 1.6.1 fails to block access to the default WordPress login page /wp-login.php when a POST request includes the post_password field. In the file /classes/plugin.php on line 494, the plugin checks for the absence of $_POST['post_password'] but does not implement an else-case, so providing this field effectively bypasses the protection mechanism [1]. Any site running version 1.6.1 is affected.
Exploitation
An unauthenticated remote attacker can bypass the hidden login feature by sending a crafted POST request to /wp-login.php that includes the parameter post_password. The attacker does not need any prior knowledge of the hidden slug or special privileges. A simple form submission with a hidden input named post_password to the default login URL triggers the bypass [1].
Impact
Successful exploitation allows the attacker to reach the standard WordPress login page, circumventing the protection intended to hide it. This may lead to increased attack surface for brute-force or credential theft attempts, depending on other site security measures.
Mitigation
WordPress plugin version 1.6.2 or later includes a fix that properly validates the presence of post_password. Users should update immediately. No workaround is provided, and the vulnerable version 1.6.1 should no longer be used [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WPS Hide Login/WPS Hide Logindescription
- Range: <=1.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing else-branch in the post_password check causes the entire protection redirect to be skipped when the field is present."
Attack vector
An attacker sends a crafted POST request containing the `post_password` field (which can be empty) to the default WordPress login URL `/wp-login.php`. Because the plugin's `wp_loaded()` method only performs its redirect/blocking logic when `$_POST['post_password']` is not set, the presence of this field causes the entire protection check to be bypassed, allowing the attacker to reach the standard WordPress login page [ref_id=1].
Affected code
The vulnerability resides in `/classes/plugin.php` at line 494, in the `wp_loaded()` function. The plugin checks for the absence of the `$_POST['post_password']` field but defines no `else` branch, so when the field is present the protection logic is entirely skipped [ref_id=1].
What the fix does
The advisory does not include a published patch, but the remediation is straightforward: the `wp_loaded()` method must handle the case where `$_POST['post_password']` is present, either by still performing the redirect/blocking logic or by explicitly ignoring that POST field. Without an `else` branch, the protection is trivially bypassed [ref_id=1].
Preconditions
- configThe WPS Hide Login plugin version 1.6.1 must be active on the WordPress site
- networkThe attacker must be able to send HTTP POST requests to the site
- authNo authentication is required; the bypass works for unauthenticated users
- inputThe attacker sends a POST request containing the field 'post_password' (value can be empty)
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.