The WordPress WPS Hide Login plugin, which has 500,000+ active installations, is a popular plugin used to hide the WordPress default login page (wp-login.php). It fixed a vulnerability in version 1.5.4.2 and below that could allow an attacker to find and access the secret login page.
In the plugins_loaded function, the plugin searches for different substrings in the REQUEST_URI environment variable using the strpos function:
public function plugins_loaded() {
global $pagenow;
if ( ! is_multisite()
&& ( strpos( $_SERVER['REQUEST_URI'], 'wp-signup' ) !== false
|| strpos( $_SERVER['REQUEST_URI'], 'wp-activate' ) !== false ) && apply_filters( 'wps_hide_login_signup_enable', false ) === false ) {
wp_die( __( 'This feature is not enabled.', 'wpserveur-hide-login' ) );
}
...
...
Because some REQUEST_URI occurrences aren’t decoded using the rawurldecode function, an attacker could encode those substrings in the URL in order to evade the detection. The plugin would then redirect the user to the hidden login page:
HTTP/1.1 302 Found
X-Redirect-By: WordPress
Location: https://www.example.com/foo/?action=register
Content-Length: 0
Timeline
The vulnerability was reported to the author on January 20, 2020 and a new version 1.5.5 was released the same day.
Recommendations
Update WPS Hide Login if you have version 1.5.4.2 or below installed.
Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet