I am writing to bring attention to a security vulnerability that I’ve encountered regarding the interaction between Gravity Forms and certain security plugins, particularly in relation to the concealment of the login page URL.

I recently came across an article (link to the article) that highlighted how Gravity Forms interactions can potentially bypass security measures implemented by popular security plugins, leading to the exposure of the hidden login page URL.

The issue arises when a request is made to the Gravity Forms endpoint with a random string appended to the gf_page parameter. Despite configuring security plugins to hide or customize the login page URL, it was observed that these plugins failed to effectively handle this interaction, thereby revealing the hidden login page URL.

I believe this is a critical security concern as it could allow unauthorized access to the WordPress admin area, circumventing the security measures put in place to protect the site from brute force attacks and other malicious activities.

As a WordPress user/administrator, I am concerned about the implications of this vulnerability and its potential impact on the security of WordPress sites using Gravity Forms and security plugins.

I would like to request the attention of plugin developers and the WordPress community to address this issue and ensure that security plugins are equipped to properly handle interactions with Gravity Forms, thereby enhancing the overall security of WordPress installations.

Any insights, solutions, or recommendations on how to mitigate this vulnerability would be greatly appreciated.

Thank you for your attention to this matter.

I therefore cannot log in at all. How can i solve this issue please?

Many thanks. Patrick

Unfortunately, every time I try to log into the admin panel jetpack displays a simple mathematical operation to solve. I understand this. However, I have to type in several or a dozen results at a time to finally be able to log in. There is no way I could make a mistake when adding 8+5

Maybe this is affected by the fact that the password is automatically entered by the KeePass program? Jetpack thinks it wasn’t typed by a human because the characters in the input appeared too fast.

The option “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps” is ON and I just noticed that the author-sitemap.xml is still accessible.

Also checked the /?author=somename and this resulted in that one can obtain confirmation that a user does exists.

While it does prevent access to /wp-json/wp/v2/users.

Is there some more options to prevent this?

Is there another way to stop access using htaccess maybe?

If you’re not experienced with this plugin, I wouldn’t recommend installing and launching 100% until you’ve completed uploading your files – if you activate the firewall before you’ve completed modifying and editing your installation, you will not be able to edit the pages or you can end up with file permission problems.

we have brute force protection on wp-admin enabled and never had any issues with it.

Today we tried to login and recognized an issue with the capture image: As you can see on the screenshot linked below, the image shows three of five digits only.

We already deleted bf_conf.php via FTP and re-configured brute force protection, but the issue reappeared.

Link to Screenshot: https://drive.google.com/file/d/1o0ZSdLBun3Mgyt7XfKgfFlBlummmQXNT/view?usp=sharing