CVE-2023-49748
Description
WPS Hide Login <=1.9.11 exposes sensitive information due to improper ACLs, allowing unauthorized access to hidden login functionality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WPS Hide Login <=1.9.11 exposes sensitive information due to improper ACLs, allowing unauthorized access to hidden login functionality.
Vulnerability
The WPS Hide Login plugin, versions n/a through 1.9.11, fails to properly restrict access to its custom login URL, exposing sensitive information to unauthorized actors. This ACL bypass issue allows attackers to access the hidden login endpoint without proper constraints [1].
Exploitation
An attacker can directly access the custom login URL (e.g., by guessing or discovering it) without authentication, bypassing the intended restrictions that hide the default wp-login.php and wp-admin directories [1].
Impact
Successful exploitation enables an unauthorized actor to gain access to the login functionality, which may lead to information disclosure about the site's login page or other sensitive details [1].
Mitigation
Update to version 1.9.18, released on 2026-01-12, which includes the fix. No workaround is available [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.9.11
- Range: <=1.9.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.