CVE-2021-24917
📋 TL;DR
This vulnerability in the WPS Hide Login WordPress plugin allows unauthenticated attackers to discover the secret login page URL by sending a crafted request to /wp-admin/options.php with a random referer string. This bypasses the plugin's security feature that hides the WordPress login page. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WPS Hide Login WordPress plugin
📦 What is this software?
Wps Hide Login by Wpserveur
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to the WordPress site, allowing them to install malware, deface the site, steal data, or establish persistent backdoors.
Likely Case
Attackers discover the hidden login page and attempt brute-force attacks or credential stuffing to gain administrative access.
If Mitigated
Attackers can discover the login page but cannot proceed further due to strong authentication controls like 2FA or IP restrictions.
🎯 Exploit Status
Exploitation requires only a single HTTP request with a crafted referer header, making it trivial to automate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.1
Vendor Advisory: https://wordpress.org/plugins/wps-hide-login/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WPS Hide Login' and click 'Update Now'. 4. Verify the plugin version is 1.9.1 or later.
🔧 Temporary Workarounds
Disable WPS Hide Login Plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate wps-hide-login
Restrict Access to /wp-admin/options.php
linuxBlock unauthenticated access to the vulnerable endpoint via web server configuration.
# Apache: <Location "/wp-admin/options.php">
Require valid-user
</Location>
# Nginx: location ~ ^/wp-admin/options\.php$ {
deny all;
}
🧯 If You Can't Patch
- Implement IP-based access restrictions to the WordPress admin area using a web application firewall or server configuration.
- Enable strong multi-factor authentication (MFA) for all WordPress administrator accounts to prevent unauthorized access even if login page is discovered.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins → Installed Plugins. If WPS Hide Login version is below 1.9.1, the site is vulnerable.Check Version:
wp plugin get wps-hide-login --field=versionVerify Fix Applied:
Confirm the plugin version is 1.9.1 or higher in the WordPress admin panel. Test by attempting the exploit with a tool like curl: 'curl -H "Referer: random" http://yoursite.com/wp-admin/options.php' - should not reveal the login URL.📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to /wp-admin/options.php with random or unusual Referer headers from unauthenticated users
- Increased failed login attempts to previously hidden login URLs
Network Indicators:
- HTTP requests to /wp-admin/options.php with Referer headers containing random strings from unauthenticated sources
SIEM Query:
source="web_server_logs" AND uri_path="/wp-admin/options.php" AND http_referer=* AND NOT user_agent="WordPress/*"