CVE-2021-36917

November 27, 2021

WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin.

Summary:

WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin.

Reference Links(if available):

  • https://patchstack.com/database/vulnerability/hide-my-wp/wordpress-hide-my-wp-premium-plugin-6-2-3-unauthenticated-plugin-deactivation-vulnerability
  • https://codecanyon.net/item/hide-my-wp-amazing-security-plugin-for-wordpress/4177158
  • https://patchstack.com/hide-my-wp-vulnerabilities-fixed/

  • CVSS Score (if available)

    v2: / MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P

    v3: / HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Links to Exploits(if available)

  • Tags: , , , ,

    You may have missed

    d838df39a709ac312b7e0cc9ba344a8ec4cac71bd20f192f4732a492c74f8f36

    MasterParser – Powerful DFIR Tool Designed For Analyzing And Parsing Linux Logs

    May 3, 2024
    hackerone

    HackerOne Bug Bounty Disclosure: http-request-smuggling-via-content-length-obfuscation-bpingel

    May 3, 2024
    gophish

    GoPhish Login Page Detected – 85[.]208[.]48[.]121:8443

    May 3, 2024
    gophish

    GoPhish Login Page Detected – 51[.]250[.]125[.]11:8443

    May 3, 2024
    gophish

    GoPhish Login Page Detected – 5[.]9[.]185[.]124:2083

    May 3, 2024