Vulnerability on WordPress WPS Hide Login plugin version <=1.9.1.1

On my end as well. I follow thread.

I got the same Notification from Hosting: WordPress WPS Hide Login plugin <= 1.9.11 – Secret Login Page Location Disclosure on Multisites vulnerability

Got the same message from Plesk’s WP Toolkit. I don’t use Multisite though.

Is there a fix coming soon or should we look for an alternative? Thanks!

Same here. No multisite.

I have received an email about this from our hosting partner too, listing sites that both are and aren’t Multisite instllations, but I don’t know if that’s just on the basis that “you’re using this plugin in WordPress and there’s a vulnerability”.

Although there are few details, given that the severity is low, it sounds like this might just be a way for people to know the custom login URL rather than people being able to log in without proper credentials. For reference, this is the link that they pointed to: https://patchstack.com/database/vulnerability/wps-hide-login/wordpress-wps-hide-login-plugin-1-9-11-secret-login-page-location-disclosure-on-multisites-vulnerability

Hello,

Thanks for using WPS Hide Login.

Our dev team is fixing the issue.

An update will be releaed very soon.

This update is taking far too long to be acceptable. Please resolve.

I came here because an attack searching for the admin account name was made, which should be impossible since the stub is an unguessable combination. Should we roll back to a previous version while waiting for the update? But I suppose it makes little effective difference, since the admin account name and password are also random characters.

Please communicate an ETA for the fix.

@seinomedia Although I recognise the issues that come from maintaining open source software – quite a lot of effort and high expectations despite code being given away for free – it would be very helpful to have a proper understanding of how long this might take We don’t know how serious the vulnerability is – does this issue mean that people get hold of usernames as @semoliner suggests, or does it just give away the custom login URL etc. – and we have no realistic ETA other than “very soon”. In my mind, “very soon” is within a day or two, and it’s been longer than that, although of course with a weekend in between. Please give us more information so we can plan effectively.

This is supposed to be a security plugin to protect the site from the hackers. Same here… I got an email warning from “Malcare Security” like this:

“This is Aman from the Support team at MalCare. We have detected vulnerabilities on your site(s). These vulnerabilities can be exploited by a hacker to wreck havoc on your websites. Vulnerable Plugin:?WPS Hide Login (1.9.11).
It is advised that you immediately act on this. We recommend that you :
1)?Update?the Vulnerable plugin/theme.
2)?Delete?the Vulnerable plugin/theme if it is not being used.”

Hello,

The issue has been fixed today. Please update the plugin to 1.9.12.

@seinomedia Thanks for the notification, and the quick turnaround on the fix. In the future, please be a bit more forthcoming with an ETA – i.e. “under a week” rather than “very soon” – as it helps us plan our response. If I’d know it was going to be this quick I wouldn’t have spent the weekend thinking about whether we need to deactivate and / or replace the plugin. Given that I presume you’re doing this partly as a way to let people know about WPServeur, it would give people a better impression if that had been clearer.