CVE-2024-2473 MEDIUM

CVE-2024-2473: WPS Hide Login <= 1.9.15.2 - Login Page Disclosure

Vendor Tabrisrp
Product WPS Hide Login
Weakness CWE-863 · Incorrect authorization
Published June 11, 2024
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login page that may have been hidden by the plugin.

Key dates

02Disclosure timeline

June 11, 2024 CVE published
April 8, 2026 Record updated