WP Ghost (Hide My WP Ghost) Security & Firewall Login Page Disclosure Vulnerability

A vulnerability allowing login page disclosure has been identified in the WP Ghost (Hide My WP Ghost) Security & Firewall plugin for WordPress, affecting all versions through 5.3.02. The issue arises because the plugin fails to properly restrict access to the wp-register.php path, allowing unauthenticated attackers to locate the hidden login page.

Impact

Exploitation of this vulnerability could lead to unauthorized discovery of the login page location, potentially allowing for further attacks such as brute force login attempts.

Reproduction

To reproduce this vulnerability, access the wp-register.php path on a WordPress site using the affected version of the WP Ghost plugin. The lack of proper restrictions will reveal the location of the hidden login page, disclosing it to the attacker.

Remediation

Users are advised to update the WP Ghost (Hide My WP Ghost) Security & Firewall plugin to version 5.4.01 or a newer patched version.