CVE-2021-24917— WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header

EPSS 76.37% · P99 Updated Feb 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-24917

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header

Source: NVD (National Vulnerability Database)

Vulnerability Description

The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

授权机制不正确

Source: NVD (National Vulnerability Database)

Vulnerability Title

WordPress 插件安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress 插件是WordPress开源的一个应用插件。 WordPress插件存在安全漏洞，该漏洞源于在1.9.1之前的WPS隐藏登录WordPress插件有一个bug，它允许通过设置一个随机引用字符串，并以未经身份验证的用户请求wp-admin options.php来获得秘密登录页面。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Unknown	WPS Hide Login	1.9.1 ~ 1.9.1	-

II. Public POCs for CVE-2021-24917

#	POC Description	Source Link	Shenlong Link
1	CVE-2021-24917	https://github.com/dikalasenjadatang/CVE-2021-24917	POC Details
2	WordPress WPS Hide Login <1.9.1 - Information Disclosure	https://github.com/Cappricio-Securities/CVE-2021-24917	POC Details
3	WordPress WPS Hide Login plugin before 1.9.1 is susceptible to incorrect authorization. An attacker can obtain the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. This reveals the secret login location.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-24917.yaml	POC Details
4	CVE-2021-24917	https://github.com/buildwithlian/CVE-2021-24917	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-24917

请登录查看更多情报信息。

https://wordpress.org/support/topic/bypass-security-issue/x_refsource_MISC
https://wpscan.com/vulnerability/15bb711a-7d70-4891-b7a2-c473e3e8b375x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2021-24917

Same Patch Batch · Unknown · 2021-12-06 · 14 CVEs total

CVE-2021-24714		WP All Import < 3.6.3 - Admin+ Stored Cross-Site Scripting
CVE-2021-24718		ARForms Form Builder < 1.5 - Admin+ Stored Cross Site Scripting
CVE-2021-24759		PDF.js Viewer < 2.0.2 - Contributor+ Stored Cross-Site Scripting
CVE-2021-24866		WP Data Access < 5.0.0 - Admin+ SQL Injection
CVE-2021-24914		Tawk.to Live Chat < 0.6.0 - Subscriber+ Visitor Monitoring & Chat Removal
CVE-2021-24924		Email Log < 2.4.8 - Reflected Cross-Site Scripting
CVE-2021-24930		Bookly < 20.3.1 - Staff Member Stored Cross-Site Scripting
CVE-2021-24931		Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection
CVE-2021-24935		WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting
CVE-2021-24938		WooCommerce Currency Switcher < 1.3.7.1 - Reflected Cross-Site Scripting
CVE-2021-24939		LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting
CVE-2021-24943		Registrations for the Events Calendar < 2.7.6 - Unauthenticated SQL Injection
CVE-2021-25041		Photo Gallery by 10Web < 1.5.68 - Reflected Cross-Site Scripting (XSS)

IV. Related Vulnerabilities

Same product: WPS Hide Login

Same vendor: Unknown

Same weakness: CWE-863

V. Comments for CVE-2021-24917

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2021-24917— WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header

I. Basic Information for CVE-2021-24917

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2021-24917

III. Intelligence Information for CVE-2021-24917

Same Patch Batch · Unknown · 2021-12-06 · 14 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2021-24917

Leave a comment