JVN#60331535
WordPress plugin "SiteGuard WP Plugin" may leak the customized path to the login page
Overview
WordPress plugin "SiteGuard WP Plugin" provided by EG Secure Solutions Inc. may leak the customized path to the login page.
Products Affected
- SiteGuard WP Plugin versions prior to 1.7.7
Description
WordPress plugin "SiteGuard WP Plugin" provided by EG Secure Solutions Inc. provides a functionality to customize the path to the login page wp-login.php.
The plugin implements a measure to avoid redirection from other URLs, but missed to implement a measure to avoid redirection from wp-register.php (CWE-201).
Impact
The customized path to the login page may be exposed.
Solution
Update the plugin
Update the plugin to the latest version according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Yuuta Watanabe of STNet, Incorporated reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-37881 |
| JVN iPedia |
JVNDB-2024-000064 |