CVE-2024-2473 Scanner

The WPS Hide Login plugin is a widely-used WordPress security tool that helps administrators obfuscate the login URL to prevent automated and targeted attacks. However, versions up to and including 1.9.15.2 are vulnerable to a login page disclosure issue due to improper request handling involving the action=postpass parameter.

This vulnerability (CVE-2024-2473) allows remote, unauthenticated attackers to bypass the custom login URL settings by submitting a POST request to the default WordPress login endpoint (/wp-admin/?action=postpass). When triggered, the server may respond with a 302 redirect pointing to the actual login page, inadvertently disclosing its location—even if it had been hidden using the plugin.

This information disclosure undermines the plugin’s core functionality, allowing attackers to target the real login page with brute force or credential stuffing attacks.

REFERENCES

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wps-hide-login/wps-hide-login-19152-login-page-disclosure
• https://nvd.nist.gov/vuln/detail/CVE-2024-2473