Vulnerability Details CVE-2023-5089
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.828
EPSS Ranking 99.2%
CVSS Severity
CVSS v3 Score 5.3
References
- https://wpscan.com/vulnerability/2b547488-187b-44bc-a57d-f876a7d4c87d
- https://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms
- https://wpscan.com/vulnerability/2b547488-187b-44bc-a57d-f876a7d4c87d
- https://www.sprocketsecurity.com/resources/discovering-wp-admin-urls-in-wordpress-with-gravityforms
Products affected by CVE-2023-5089
-
cpe:2.3:a:wpmudev:defender_security:3.11.0
-
cpe:2.3:a:wpmudev:defender_security:3.11.1
-
cpe:2.3:a:wpmudev:defender_security:3.12.0
-
cpe:2.3:a:wpmudev:defender_security:4.0.0
-
cpe:2.3:a:wpmudev:defender_security:4.0.1
-
cpe:2.3:a:wpmudev:defender_security:4.0.2