CVE-2024-2473

Name of the Vulnerable Software and Affected Versions WPS Hide Login plugin for WordPress versions up to, and including, 1.9.15.2

Description The issue is related to a bypass that allows attackers to discover hidden login pages when the action parameter is set to postpass. This makes it possible for attackers to easily find any login page that may have been hidden by the plugin.

Recommendations For versions up to, and including, 1.9.15.2, consider disabling the plugin until a patch is available to prevent exploitation. As a temporary workaround, avoid using the action=postpass parameter in affected API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.