Multiple vulnerabilities in in WPS Hide Login



Published: 2019-07-23
Risk Medium
Patch available YES
Number of vulnerabilities 5
CVE-ID N/A
CWE-ID CWE-200
CWE-287
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		WPS Hide Login
Web applications / Modules and components for CMS

Vendor Rémy Perona

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU19361

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in the "/classes/plugin.php" file due to the function "wpmu_activate_signup()" is not declared yet. A remote attacker can trigger the hook “wps_hide_login_signup_enable” with the correct URL and disclose the path information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WPS Hide Login: 1.1 - 1.5.2.2

External links

http://secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Authentication

EUVDB-ID: #VU19360

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to insufficient authorization controls in the "/classes/plugins.php" file on 563 line. A remote attacker can modify the header “Referer” and add “wp-login.php”, send an empty POST request and gain unauthorized access to the application.

Line 563:

if ( strpos( $url, 'wp-login.php' ) !== false ) {


Mitigation

Install updates from vendor's website.

Vulnerable software versions

WPS Hide Login: 1.1 - 1.5.2.2

External links

http://secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Authentication

EUVDB-ID: #VU19359

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists in the "/classes/plugins.php" file when WooCommerce (+60% of WP e-commerce) is activated. A remote attacker can access the login page and gain unauthorized access to the application.

Example:
https://example.com?action=rp&key&login

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WPS Hide Login: 1.1 - 1.5.2.2

External links

http://secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper Authentication

EUVDB-ID: #VU19358

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to insufficient authorization controls in the "/classes/plugins.php" file. A remote attacker can access the login page if the param “adminhash” is present in the URL and gain unauthorized access to the application.

Example:
https://exemple.com/wp-admin/?adminhash=1

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WPS Hide Login: 1.1 - 1.5.2.2

External links

http://secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper Authentication

EUVDB-ID: #VU19357

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to insufficient authorization controls in the "/classes/plugins.php" file. A remote attacker can access the login page if the URL contains “action=confirmaction” and gain unauthorized access to the application.

Example:
https://example.com/wp-login.php?SECUPRESSaction=confirmaction

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WPS Hide Login: 1.1 - 1.5.2.2

External links

http://secupress.me/blog/wps-hide-login-v1-5-2-2-multiples-vulnerabilities/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###