WPS Hide Login < 1.9.16.4 - Hidden Login Page Disclosure
Description
The WPS Hide Login plugin before 1.9.16.4 fails to block auth_redirect, exposing hidden login pages to unauthenticated visitors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WPS Hide Login plugin before 1.9.16.4 fails to block auth_redirect, exposing hidden login pages to unauthenticated visitors.
Vulnerability
The WPS Hide Login WordPress plugin before version 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function. This allows the hidden login page to be accessed directly [1].
Exploitation
An unauthenticated attacker can access the hidden login page by triggering the auth_redirect function, typically by visiting a URL that the plugin was meant to protect. No authentication or special privileges are required.
Impact
Successful exploitation reveals the login page location, enabling attackers to perform brute-force attacks or other login-related exploits. This undermines the plugin's purpose of hiding the login endpoint.
Mitigation
Update to version 1.9.16.4 or later, which fixes this vulnerability [1]. No workarounds are available.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.9.16.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.