What is CVE-2021-24917?

CVE-2021-24917 is a vulnerability in Wps Hide Login, classified under Incorrect Authorization. Published 2021-12-06.

Is CVE-2021-24917 known to be exploited?

12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Wps Hide Login

CVE-2021-24917

The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.

Vulnerability class: Broken Access Control

EPSS: 0.807 (99.2th percentile) — read the EPSS interpretation.

Affected products

Unknown Wps Hide Login — versions 1.9.1

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

Public proof-of-concept exploits

Cappricio-Securities/CVE-2021-24917
buildwithlian/CVE-2021-24917
rapid7/metasploit-framework
ARPSyndicate/cvemon
ARPSyndicate/kenzer-templates
D0rDa4aN919/D0rDa4aN919
Whiteh4tWolf/pentest
dikalasenjadatang/CVE-2021-24917
soxoj/information-disclosure-writeups-and-pocs
whattheslime/wps-show-login

References

wpscan.com/vulnerability/15bb711a-7d70-4891-b7a2-c473e3e8b375 (x_refsource_MISC)
wordpress.org/support/topic/bypass-security-issue/ (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-24917?: CVE-2021-24917 is a vulnerability in Wps Hide Login, classified under Incorrect Authorization. Published 2021-12-06.
Is CVE-2021-24917 known to be exploited?: 12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.