CVE-2024-6289 – The WPS Hide Login WordPress plugin before vers... (How to Fix)

Q: What is the severity of CVE-2024-6289?

CVE-2024-6289 has a CVSS score of 6.1 (MEDIUM). The WPS Hide Login WordPress plugin before version 1.9.16.4 fails to properly restrict access to hidden login pages, allowing unauthenticated visitors to discover and potentially access the login interface. This affects WordPress sites using the vulnerable plugin version.

📋 TL;DR

The WPS Hide Login WordPress plugin before version 1.9.16.4 fails to properly restrict access to hidden login pages, allowing unauthenticated visitors to discover and potentially access the login interface. This affects WordPress sites using the vulnerable plugin version.

💻 Affected Systems

Products:

WPS Hide Login WordPress plugin

Versions: All versions before 1.9.16.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the WPS Hide Login plugin enabled and configured to hide the login page.

📦 What is this software?

Wps Hide Login by Wpserveur

View all CVEs affecting Wps Hide Login →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers discover the hidden login page and conduct brute-force attacks or credential stuffing against admin accounts, potentially gaining administrative access to the WordPress site.

🟠

Likely Case

Attackers discover the hidden login page and attempt unauthorized login attempts, though successful exploitation requires valid credentials or additional vulnerabilities.

🟢

If Mitigated

With proper authentication controls and monitoring, impact is limited to revealing the login page location without granting access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires discovering the hidden login URL, which can be done through various WordPress functions or enumeration techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.16.4

Vendor Advisory: https://wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPS Hide Login and click 'Update Now'. 4. Verify version is 1.9.16.4 or later.

🔧 Temporary Workarounds

Disable WPS Hide Login Plugin

linux

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wps-hide-login

Implement Web Application Firewall Rule

all

Block access to hidden login page patterns

🧯 If You Can't Patch

Implement strong password policies and multi-factor authentication for admin accounts
Monitor login attempts and implement rate limiting on login endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WPS Hide Login version

Check Version:

wp plugin get wps-hide-login --field=version

Verify Fix Applied:

Verify plugin version is 1.9.16.4 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from single IP
Access to hidden login page URLs

Network Indicators:

HTTP requests to /wp-login.php or custom login URLs with 200 OK responses

SIEM Query:

source="wordpress.log" AND (uri="/wp-login.php" OR uri CONTAINS "login") AND response="200"

📊 Metadata

CVE ID: CVE-2024-6289

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-601

Published: July 15, 2024

Last Updated: March 17, 2025

🔗 References

https://wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/fd6d0362-df1d-4416-b8b5-6e5d0ce84793/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6289, you might also want to check these: