CVE-2021-24917 Overview
CVE-2021-24917 affects the WPS Hide Login WordPress plugin in versions prior to 1.9.1. The plugin obscures the WordPress login page by relocating it to a custom URL chosen by the administrator. A flaw in the plugin's request handling allows unauthenticated attackers to disclose this secret login path. Attackers send a crafted request to /wp-admin/options.php with a randomized Referer header, causing the plugin to leak the hidden login URL in the response. The disclosure defeats the security-through-obscurity protection the plugin provides and re-exposes the login page to credential stuffing, brute-force attacks, and automated bot traffic.
Critical Impact
Unauthenticated attackers can recover the hidden WordPress login URL, neutralizing the plugin's core protection across millions of installations.
Affected Products
- WPS Hide Login WordPress plugin versions prior to 1.9.1
- WordPress sites using wpserveur:wps_hide_login for login URL obfuscation
- All WordPress deployments relying on this plugin as their primary login-page protection control
Discovery Timeline
- 2021-12-06 - CVE-2021-24917 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-24917
Vulnerability Analysis
The vulnerability is an authorization bypass classified under [CWE-863] Incorrect Authorization. WPS Hide Login intercepts requests to sensitive WordPress endpoints and blocks unauthenticated access unless the request originates from the configured hidden login URL. The plugin's logic incorrectly evaluates the request context when an arbitrary Referer header is supplied. As a result, an unauthenticated request to /wp-admin/options.php accompanied by a random referer triggers a code path that exposes the secret login slug in the response.
The plugin had a large install base at the time of disclosure, broadening the exposure. Once the hidden URL is recovered, attackers can target wp-login.php directly with automated credential attacks. The EPSS model assigns this issue a high exploitation probability, reflecting widespread scanning activity against WordPress plugins.
Root Cause
The root cause is improper validation of request context inside the plugin's access-control filter. The filter treats certain referer values as a signal that the request originated from a trusted internal redirect. Because the referer is attacker-controlled, this assumption breaks the authorization decision and allows the protected endpoint to return information that should remain hidden.
Attack Vector
Exploitation requires only network access to the target site. The attacker issues an HTTP request to /wp-admin/options.php with a randomly generated Referer header value. The server responds in a way that reveals the configured custom login URL, after which the attacker visits that URL to access wp-login.php. No authentication, user interaction, or special privileges are required.
The vulnerability mechanism is described in the WPScan Vulnerability Report and the original WordPress Support Thread.
Detection Methods for CVE-2021-24917
Indicators of Compromise
- Unauthenticated GET or POST requests to /wp-admin/options.php from external IP addresses
- Requests to /wp-admin/options.php carrying unusual, random, or non-site Referer header values
- Spikes in wp-login.php traffic at the customized hidden login slug shortly after options.php probing
- Sequential requests from the same source first hitting options.php and then the recovered login URL
Detection Strategies
- Inspect web server access logs for unauthenticated requests to /wp-admin/options.php paired with anomalous referers
- Deploy WAF rules that flag options.php requests lacking a valid authenticated session cookie
- Correlate plugin version inventory against the 1.9.1 fix baseline to identify exposed WordPress hosts
- Monitor for follow-on brute-force patterns against any non-default wp-login.php URL
Monitoring Recommendations
- Forward WordPress access logs and authentication events to a centralized logging or SIEM platform for correlation
- Alert on repeated failed logins at custom login URLs that previously received no external traffic
- Track plugin inventory and version drift across WordPress estates to confirm patch coverage
- Baseline normal referer distributions for wp-admin endpoints and alert on outliers
How to Mitigate CVE-2021-24917
Immediate Actions Required
- Upgrade WPS Hide Login to version 1.9.1 or later on every WordPress site in the environment
- Enforce strong, unique administrator passwords and enable multi-factor authentication on all WordPress accounts
- Restrict access to /wp-admin/ and wp-login.php by source IP where operationally feasible
- Review web server logs for prior probing of /wp-admin/options.php with anomalous referers
Patch Information
The vendor released WPS Hide Login 1.9.1, which corrects the authorization check so that arbitrary referer values no longer bypass the plugin's filter. Site administrators should update through the WordPress plugin dashboard or by deploying the fixed version via their preferred WordPress management workflow. Confirm the installed version after update and verify that the custom login slug still resolves correctly.
Workarounds
- Place WordPress administrative endpoints behind HTTP basic authentication or a reverse-proxy access control layer until patched
- Apply WAF rules that block unauthenticated requests to /wp-admin/options.php
- Enforce rate limiting on wp-login.php and any custom login slug to slow brute-force attempts
- Treat the hidden login URL as a defense-in-depth layer only and rely on MFA and strong credentials as the primary control
# Example WAF rule concept - block unauthenticated options.php requests
# Adjust syntax to match your WAF or reverse proxy (ModSecurity, NGINX, etc.)
location = /wp-admin/options.php {
if ($http_cookie !~* "wordpress_logged_in_") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
