CVE-2024-6420 – This vulnerability in the Hide My WP Ghost Word... (How to Fix)

Q: What is the severity of CVE-2024-6420?

CVE-2024-6420 has a CVSS score of 8.6 (HIGH). This vulnerability in the Hide My WP Ghost WordPress plugin allows unauthenticated attackers to bypass login page hiding by exploiting the auth_redirect function. WordPress sites using vulnerable versions of this plugin are affected, potentially exposing their hidden login pages to unauthorized access.

📋 TL;DR

This vulnerability in the Hide My WP Ghost WordPress plugin allows unauthenticated attackers to bypass login page hiding by exploiting the auth_redirect function. WordPress sites using vulnerable versions of this plugin are affected, potentially exposing their hidden login pages to unauthorized access.

💻 Affected Systems

Products:

Hide My WP Ghost WordPress Plugin

Versions: Versions before 5.2.02

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the Hide My WP Ghost plugin enabled.

📦 What is this software?

Hide My Wp Ghost by Wpplugins

View all CVEs affecting Hide My Wp Ghost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to hidden WordPress login pages, enabling brute force attacks, credential theft, and potential site takeover if weak credentials are used.

🟠

Likely Case

Attackers discover and access the hidden login page, increasing the attack surface for brute force attempts and reconnaissance.

🟢

If Mitigated

With strong passwords, rate limiting, and additional authentication layers, impact is limited to exposing the login page location.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of the hidden login URL or discovery through enumeration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.02

Vendor Advisory: https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Hide My WP Ghost. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.2.02+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Hide My WP Ghost plugin until patched.

wp plugin deactivate hide-my-wp-ghost

Restrict Login Page Access

linux

Use web server rules to restrict access to login page by IP.

# Apache: Order deny,allow\nDeny from all\nAllow from 192.168.1.0/24
# Nginx: allow 192.168.1.0/24;\ndeny all;

🧯 If You Can't Patch

Implement strong password policies and enable two-factor authentication
Deploy web application firewall rules to block unauthorized login attempts

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If Hide My WP Ghost version is below 5.2.02, it's vulnerable.

Check Version:

wp plugin get hide-my-wp-ghost --field=version

Verify Fix Applied:

Confirm plugin version is 5.2.02 or higher. Test that unauthenticated users cannot access the hidden login page.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from new IPs
Access to hidden login page by unauthenticated users

Network Indicators:

Unusual traffic to login page from diverse IP ranges

SIEM Query:

source="wordpress.log" AND (uri="/wp-login.php" OR uri="/hidden-login-path") AND status=200 AND user="-"

📊 Metadata

CVE ID: CVE-2024-6420

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Published: July 23, 2024

Last Updated: August 25, 2025

🔗 References

https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON