Vulnerabilites related to wpplugins - hide_my_wp_ghost
Vulnerability from fkie_nvd
Published
2024-06-04 07:15
Modified
2025-06-30 18:18
Severity ?
Summary
Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins – WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects Hide My WP Ghost: from n/a through 5.0.25.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpplugins | hide_my_wp_ghost | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpplugins:hide_my_wp_ghost:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "20618EA8-05C3-4859-8E06-8A1312752311",
"versionEndExcluding": "5.0.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins \u2013 WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects Hide My WP Ghost: from n/a through 5.0.25."
},
{
"lang": "es",
"value": "Vulnerabilidad de restricci\u00f3n inadecuada de intentos de autenticaci\u00f3n excesivos en WPPlugins \u2013 WordPress Security Plugins Hide My WP Ghost permiten la omisi\u00f3n de funcionalidad. Este problema afecta a Hide My WP Ghost: desde n/a hasta 5.0.25."
}
],
"id": "CVE-2023-34001",
"lastModified": "2025-06-30T18:18:30.733",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
},
"published": "2024-06-04T07:15:42.770",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/hide-my-wp/wordpress-hide-my-wp-ghost-security-plugin-plugin-5-0-24-captcha-bypass-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/hide-my-wp/wordpress-hide-my-wp-ghost-security-plugin-plugin-5-0-24-captcha-bypass-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-23 06:15
Modified
2025-08-25 15:15
Severity ?
Summary
The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpplugins | hide_my_wp_ghost | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpplugins:hide_my_wp_ghost:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "03E38802-832E-4C02-A9E6-6018C235072F",
"versionEndExcluding": "5.2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page."
},
{
"lang": "es",
"value": " El complemento de WordPress Hide My WP Ghost anterior a 5.2.02 no impide las redirecciones a la p\u00e1gina de inicio de sesi\u00f3n a trav\u00e9s de la funci\u00f3n auth_redirect de WordPress, lo que permite que un visitante no autenticado acceda a la p\u00e1gina de inicio de sesi\u00f3n oculta."
}
],
"id": "CVE-2024-6420",
"lastModified": "2025-08-25T15:15:36.527",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-23T06:15:11.413",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-27 16:15
Modified
2025-06-25 20:47
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Darrel Hide My WP Ghost allows PHP Local File Inclusion.This issue affects Hide My WP Ghost: from n/a through 5.4.01.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpplugins | hide_my_wp_ghost | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpplugins:hide_my_wp_ghost:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C02F7EE9-466A-4182-838E-F360048B56E8",
"versionEndExcluding": "5.4.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in John Darrel Hide My WP Ghost allows PHP Local File Inclusion.This issue affects Hide My WP Ghost: from n/a through 5.4.01."
},
{
"lang": "es",
"value": "Vulnerabilidad de control inadecuado del nombre de archivo para la declaraci\u00f3n Include/Require en el programa PHP (\u0027Inclusi\u00f3n de archivos remotos PHP\u0027) en John Darrel Hide My WP Ghost permite la inclusi\u00f3n de archivos locales PHP. Este problema afecta a Hide My WP Ghost: desde n/a hasta 5.4.01."
}
],
"id": "CVE-2025-26909",
"lastModified": "2025-06-25T20:47:07.753",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-27T16:15:30.400",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/wordpress/plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-5-4-01-local-file-inclusion-to-rce-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-98"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-09 03:15
Modified
2024-11-21 07:35
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpplugins | hide_my_wp_ghost | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpplugins:hide_my_wp_ghost:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "49D787EA-9201-4B93-9578-E47EC518F60A",
"versionEndIncluding": "5.0.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Hide My WP Ghost \u2013 Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in."
}
],
"id": "CVE-2022-4537",
"lastModified": "2024-11-21T07:35:26.953",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-09T03:15:09.267",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-12 08:15
Modified
2025-02-25 19:38
Severity ?
Summary
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpplugins | hide_my_wp_ghost | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpplugins:hide_my_wp_ghost:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "245B64BB-D740-4E0B-B741-F97961763F4A",
"versionEndExcluding": "5.4.01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location."
},
{
"lang": "es",
"value": "El complemento WP Ghost (Hide My WP Ghost) \u2013 Security \u0026amp; Firewall para WordPress es vulnerable a la divulgaci\u00f3n de la p\u00e1gina de inicio de sesi\u00f3n en todas las versiones hasta la 5.3.02 incluida. Esto se debe a que el complemento no restringe correctamente la ruta /wp-register.php. Esto hace posible que atacantes no autenticados descubran la ubicaci\u00f3n oculta de la p\u00e1gina de inicio de sesi\u00f3n."
}
],
"id": "CVE-2024-13794",
"lastModified": "2025-02-25T19:38:05.950",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2025-02-12T08:15:08.430",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3235271%40hide-my-wp\u0026new=3235271%40hide-my-wp\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9effa526-7454-4490-9bf4-0605254d6625?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-693"
}
],
"source": "security@wordfence.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-15 07:15
Modified
2024-11-20 15:01
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The Hide My WP Ghost – Security & Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL in all versions up to, and including, 5.3.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpplugins | hide_my_wp_ghost | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpplugins:hide_my_wp_ghost:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "A5D403F8-70D1-49D1-9488-31E8C3B25B2B",
"versionEndExcluding": "5.3.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Hide My WP Ghost \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL in all versions up to, and including, 5.3.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link."
},
{
"lang": "es",
"value": "El complemento Hide My WP Ghost \u2013 Security \u0026amp; Firewall para WordPress es vulnerable a ataques de Cross-Site Scripting Reflejado a trav\u00e9s de la URL en todas las versiones hasta la 5.3.01 incluida, debido a una desinfecci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten secuencias de comandos web arbitrarias en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario administrativo para que realice una acci\u00f3n como hacer clic en un enlace."
}
],
"id": "CVE-2024-10825",
"lastModified": "2024-11-20T15:01:19.507",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-15T07:15:17.237",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.3.01/classes/Tools.php#L633"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.3.01/classes/Tools.php#L638"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3186489/hide-my-wp/trunk/classes/Tools.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c467a634-d5cf-4e80-9a64-009cdad2a684?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-14 05:15
Modified
2025-06-20 18:13
Severity ?
Summary
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpplugins | hide_my_wp_ghost | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpplugins:hide_my_wp_ghost:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C02F7EE9-466A-4182-838E-F360048B56E8",
"versionEndExcluding": "5.4.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information."
},
{
"lang": "es",
"value": "El complemento WP Ghost (Hide My WP Ghost) \u2013 Security \u0026amp; Firewall para WordPress, es vulnerable a Path Traversal en todas las versiones hasta la 5.4.01 incluida, a trav\u00e9s de la funci\u00f3n showFile. Esto permite que atacantes no autenticados lean el contenido de ciertos tipos de archivos en el servidor, que pueden contener informaci\u00f3n confidencial."
}
],
"id": "CVE-2025-2056",
"lastModified": "2025-06-20T18:13:13.507",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2025-03-14T05:15:42.523",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.4.02/models/Files.php#L336"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f43db496-80ea-442c-9417-7aa03ec95f02?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
CVE-2025-26909 (GCVE-0-2025-26909)
Vulnerability from cvelistv5
Published
2025-03-27 15:48
Modified
2025-03-27 16:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Darrel Hide My WP Ghost allows PHP Local File Inclusion.This issue affects Hide My WP Ghost: from n/a through 5.4.01.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| John Darrel | Hide My WP Ghost |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26909",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:16:52.644331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:17:01.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "hide-my-wp",
"product": "Hide My WP Ghost",
"vendor": "John Darrel",
"versions": [
{
"changes": [
{
"at": "5.4.02",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.01",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dimas Maulana (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in John Darrel Hide My WP Ghost allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Hide My WP Ghost: from n/a through 5.4.01.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in John Darrel Hide My WP Ghost allows PHP Local File Inclusion.This issue affects Hide My WP Ghost: from n/a through 5.4.01."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-252 PHP Local File Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:48:49.350Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-5-4-01-local-file-inclusion-to-rce-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Hide My WP Ghost plugin to the latest available version (at least 5.4.02)."
}
],
"value": "Update the WordPress Hide My WP Ghost plugin to the latest available version (at least 5.4.02)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress Hide My WP Ghost plugin \u003c= 5.4.01 - Local File Inclusion to RCE vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-26909",
"datePublished": "2025-03-27T15:48:49.350Z",
"dateReserved": "2025-02-17T11:50:52.141Z",
"dateUpdated": "2025-03-27T16:17:01.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6420 (GCVE-0-2024-6420)
Vulnerability from cvelistv5
Published
2024-07-23 06:00
Modified
2025-08-27 12:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Hide My WP Ghost |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpplugins:hide_my_wp_ghost:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "hide_my_wp_ghost",
"vendor": "wpplugins",
"versions": [
{
"lessThan": "5.2.02",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-6420",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T18:52:17.212917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T18:54:21.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:41:03.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hide My WP Ghost",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.2.02",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juan Pablo Gomez Postigo"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T12:00:48.445Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hide My WP Ghost \u003c 5.2.02 - Hidden Login Page Disclosure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-6420",
"datePublished": "2024-07-23T06:00:03.289Z",
"dateReserved": "2024-07-01T07:35:01.524Z",
"dateUpdated": "2025-08-27T12:00:48.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10825 (GCVE-0-2024-10825)
Vulnerability from cvelistv5
Published
2024-11-15 06:48
Modified
2024-11-15 18:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Hide My WP Ghost – Security & Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL in all versions up to, and including, 5.3.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| johndarrel | Hide My WP Ghost – Security & Firewall |
Version: * ≤ 5.3.01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T18:08:11.029466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T18:08:30.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hide My WP Ghost \u2013 Security \u0026 Firewall",
"vendor": "johndarrel",
"versions": [
{
"lessThanOrEqual": "5.3.01",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hide My WP Ghost \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL in all versions up to, and including, 5.3.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T06:48:04.243Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c467a634-d5cf-4e80-9a64-009cdad2a684?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.3.01/classes/Tools.php#L633"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.3.01/classes/Tools.php#L638"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3186489/hide-my-wp/trunk/classes/Tools.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-04T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-11-14T18:16:20.000+00:00",
"value": "Disclosed"
}
],
"title": "Hide My WP Ghost \u2013 Security \u0026 Firewall \u003c= 5.3.01 - Reflected Cross-Site Scripting via URL"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10825",
"datePublished": "2024-11-15T06:48:04.243Z",
"dateReserved": "2024-11-04T21:55:43.552Z",
"dateUpdated": "2024-11-15T18:08:30.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2056 (GCVE-0-2025-2056)
Vulnerability from cvelistv5
Published
2025-03-14 04:22
Modified
2025-03-14 13:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-23 - Relative Path Traversal
Summary
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| johndarrel | WP Ghost (Hide My WP Ghost) – Security & Firewall |
Version: * ≤ 5.4.01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T13:45:05.965351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T13:45:48.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall",
"vendor": "johndarrel",
"versions": [
{
"lessThanOrEqual": "5.4.01",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T04:22:34.842Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f43db496-80ea-442c-9417-7aa03ec95f02?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.4.02/models/Files.php#L336"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-05T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-03-13T16:21:37.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Ghost \u003c= 5.4.01 - Unauthenticated Limited File Read"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2056",
"datePublished": "2025-03-14T04:22:34.842Z",
"dateReserved": "2025-03-06T15:06:51.356Z",
"dateUpdated": "2025-03-14T13:45:48.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34001 (GCVE-0-2023-34001)
Vulnerability from cvelistv5
Published
2024-06-04 07:09
Modified
2024-08-02 15:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Summary
Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins – WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects Hide My WP Ghost: from n/a through 5.0.25.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPPlugins – WordPress Security Plugins | Hide My WP Ghost |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-04T15:24:51.351378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:21:16.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/hide-my-wp/wordpress-hide-my-wp-ghost-security-plugin-plugin-5-0-24-captcha-bypass-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "hide-my-wp",
"product": "Hide My WP Ghost",
"vendor": "WPPlugins \u2013 WordPress Security Plugins",
"versions": [
{
"changes": [
{
"at": "5.0.26",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.25",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "konagash (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins \u2013 WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.\u003cp\u003eThis issue affects Hide My WP Ghost: from n/a through 5.0.25.\u003c/p\u003e"
}
],
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins \u2013 WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects Hide My WP Ghost: from n/a through 5.0.25."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T07:09:44.976Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/hide-my-wp/wordpress-hide-my-wp-ghost-security-plugin-plugin-5-0-24-captcha-bypass-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 5.0.26 or a higher version."
}
],
"value": "Update to 5.0.26 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Hide My WP Ghost \u2013 Security Plugin plugin \u003c= 5.0.25 - Captcha Bypass vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-34001",
"datePublished": "2024-06-04T07:09:44.976Z",
"dateReserved": "2023-05-25T11:25:11.062Z",
"dateUpdated": "2024-08-02T15:54:14.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4537 (GCVE-0-2022-4537)
Vulnerability from cvelistv5
Published
2023-05-09 02:47
Modified
2025-01-13 16:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| johndarrel | Hide My WP Ghost – Security Plugin |
Version: * ≤ 5.0.18 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:41:45.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T16:17:32.379265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T16:50:23.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hide My WP Ghost \u2013 Security Plugin",
"vendor": "johndarrel",
"versions": [
{
"lessThanOrEqual": "5.0.18",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammadreza Rashidi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hide My WP Ghost \u2013 Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-348 Use of Less Trusted Source",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-09T02:47:14.059Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-04-14T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4537",
"datePublished": "2023-05-09T02:47:14.059Z",
"dateReserved": "2022-12-16T01:31:35.829Z",
"dateUpdated": "2025-01-13T16:50:23.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13794 (GCVE-0-2024-13794)
Vulnerability from cvelistv5
Published
2025-02-12 07:35
Modified
2025-02-18 17:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-693 - Protection Mechanism Failure
Summary
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| johndarrel | WP Ghost (Hide My WP Ghost) – Security & Firewall |
Version: * ≤ 5.3.02 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13794",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:52:58.841830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:40:12.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall",
"vendor": "johndarrel",
"versions": [
{
"lessThanOrEqual": "5.3.02",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicholas Mun"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Ghost (Hide My WP Ghost) \u2013 Security \u0026 Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T07:35:39.178Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9effa526-7454-4490-9bf4-0605254d6625?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3235271%40hide-my-wp\u0026new=3235271%40hide-my-wp\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-11T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Hide My WP Ghost \u2013 Security \u0026 Firewall \u003c= 5.3.02 - Unauthenticated Login Page Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13794",
"datePublished": "2025-02-12T07:35:39.178Z",
"dateReserved": "2025-01-29T21:07:16.788Z",
"dateUpdated": "2025-02-18T17:40:12.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}