CVE-2024-6289: 
WordPress vulnerability analysis and mitigation

The WPS Hide Login WordPress plugin before version 1.9.16.4 contains a security vulnerability identified as CVE-2024-6289. The vulnerability was discovered by Juan Pablo Gomez Postigo and publicly disclosed on June 24, 2024. This security issue affects the plugin's core functionality of hiding the WordPress login page (WPScan).

The vulnerability stems from the plugin's failure to prevent redirects to the login page via the auth_redirect WordPress function. This oversight allows unauthenticated visitors to access the hidden login page, effectively bypassing the plugin's primary security feature. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and is classified as CWE-601 (URL Redirection to Untrusted Site) (NVD).

The exploitation of this vulnerability could lead to the disclosure of the hidden login page location, compromising the primary security feature of the WPS Hide Login plugin. This exposure could potentially make the WordPress site more vulnerable to brute force attacks and other login-related security threats (WPScan).

Site administrators are strongly advised to update their WPS Hide Login plugin to version 1.9.16.4 or later, which contains the fix for this vulnerability (NVD).