Vulnerability in Information Leakage of WordPress Plugin "SiteGuard WP Plugin": WPV2024001
Publication Date: May 31, 2024
Last Updated: May 31, 2024
It has been identified that WordPress Plugin "SiteGuard WP Plugin" versions prior to 1.7.6 have a vulnerability that can lead to information leakage. If this vulnerability is exploited, there is a risk that the modified login path facilitated by this Plugin could leak, leading to unauthorized login attempts. The affected versions of "SiteGuard WP Plugin" are listed below; please use the updated versions.
The affected products are as follows:
Product Name: WordPress Plugin "SiteGuard WP Plugin"
Affected Versions:
Versions prior to 1.7.6
The method to confirm the version number you are using is as follows:
Login with a user who has administrator privileges in WordPress, and select "Plugins" from the left menu.
From the list of Plugin, locate "SiteGuard WP Plugin" and confirm the version display.
WordPress Plugin "SiteGuard WP Plugin" is equipped with a "Rename Login Function" that allows changing the standard login path (wp-login.php) to any path, aimed at reducing mechanical login attempt attacks. Although there are measures in place to prevent redirection to the modified login path when accessing /wp-activate.php or /wp-signup.php, the measures to prevent redirection were missing when accessing /wp-register.php. Therefore, when accessing /wp-register.php (or "/anypath/wp-register.php"), the modified login path gets redirected, potentially exposing the system to login attempt attacks.
If the option "Do not redirect from the admin page to login page" of the Rename Login Function is checked (unchecked by default), it was anticipated that the modified login path would not be leaked. However, accessing /wp-register.php results in the leakage of the modified login path. If the modified login path leaks, there is a possibility of login attempt attacks, although an immediate login is not permitted.
Customers using products prior to version 1.7.6 should update to version 1.7.7 or later. You can update from the list of WordPress Plugins.
The only method to avoid this vulnerability (leakage of modified login path) is to update to version 1.7.7 or later. Using the features "CAPTCHA", "Login Lock", and "Fail Once" of this Plugin can reduce the likelihood of a successful login attempt attack.
Information Leakage Vulnerability in JVN#60331535 WordPress Plugin "SiteGuard WP Plugin"
This issue was reported by Mr. Yuta Watanabe of STNet Corporation. Thank you very much.
May 31, 2024: This vulnerability information page was published.
Vulnerability Reporting Contact
EG Secure Solutions Inc. SiteGuard WP Plugin Support Contact
Email: sg-wp-plugin@eg-secure.co.jp