CVE-2024-6420
HIGH NUCLEIHide My WP Ghost < 5.2.02 - Unauthenticated Login Page Access via auth_redirect Function
Title source: llmExploitation Summary
CVE-2024-6420 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
Nuclei Templates (1)
Hide My WP Ghost < 5.2.02 - Hidden Login Page Disclosure
HIGHVERIFIEDby jpg0mez
FOFA:
body="/wp-content/plugins/hide-my-wp"
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/dfda6577-81aa-4397-a2d6-1d736f9ebd44/
Scores
CVSS v3
8.6
EPSS
0.0180
EPSS Percentile
75.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
Status
published
Products (1)
wpplugins/hide_my_wp_ghost
< 5.2.02
Published
Jul 23, 2024
Tracked Since
Feb 18, 2026