CVE-2026-39484

Hide My WP Ghost < 7.0.00 - Unauthenticated Open Redirect

mediumURL Redirection to Untrusted Site ('Open Redirect')
4.7
CVSS Score
4.7
CVSS Score
medium
Severity
7.0.00
Patched in
49d
Time to patch

Description

The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Open Redirect in all versions up to 7.0.00 (exclusive). This is due to insufficient validation on a redirect url. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<7.0.00
PublishedMarch 18, 2026
Last updatedMay 5, 2026
Affected pluginhide-my-wp

What Changed in the Fix

Changes introduced in v7.0.00

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

```markdown # Exploitation Research Plan - CVE-2026-39484 (Unauthenticated Open Redirect) ## 1. Vulnerability Summary The **WP Ghost (Hide My WP Ghost)** plugin for WordPress is vulnerable to an **Unauthenticated Open Redirect** in versions up to 7.0.00. The vulnerability exists because the plugin'…

Show full research plan
# Exploitation Research Plan - CVE-2026-39484 (Unauthenticated Open Redirect)

## 1. Vulnerability Summary
The **WP Ghost (Hide My WP Ghost)** plugin for WordPress is vulnerable to an **Unauthenticated Open Redirect** in versions up to 7.0.00. The vulnerability exists because the plugin's action-handling logic (specifically in classes like `HMWP_Classes_Error`) uses `wp_redirect()` on the current URL (derived via `remove_query_arg`) without sufficient validation. An attacker can craft a malicious URL containing an encoded external target that, when processed by the plugin's admin-area hooks, triggers a redirection to an untrusted site.

## 2. Attack Vector Analysis
- **Endpoint:** `/wp-admin/admin-post.php` or `/wp-admin/admin-ajax.php`
- **Action:** `hmwp_ignoreerror` (and potentially other actions registered in `HMWP_Classes_Action::getActionsTable()`).
- **Parameters:** 
    - `action=hmwp_ignoreerror`
    - `hmwp_nonce=[NONCE]`
    - `hash=[ANY_VALUE]`
- **Authentication:** Unauthenticated (PR:N). While the code resides in the admin area, unauthenticated users can access `admin-post.php` and `admin-ajax.php`. The redirect relies on a User Interaction (UI:R) where a logged-in administrator
Research Findings
Static analysis — not yet PoC-verified

Summary

The Hide My WP Ghost plugin for WordPress is vulnerable to an Open Redirect via the 'hmwp_ignoreerror' action. This occurs because the plugin uses the non-pluggable wp_redirect() function on a URL derived from the current request via remove_query_arg() without validating the destination, allowing attackers to redirect authenticated administrators to malicious external sites.

Vulnerable Code

/**
 * Run the actions on submit
 *
 * @throws Exception
 */
public function action() {

    if ( ! HMWP_Classes_Tools::userCan( HMWP_CAPABILITY ) ) {
        return;
    }

    switch ( HMWP_Classes_Tools::getValue( 'action' ) ) {
        case 'hmwp_ignoreerror':
            $hash = HMWP_Classes_Tools::getValue( 'hash' );

            $ignore_errors = (array) HMWP_Classes_Tools::getOption( 'ignore_errors' );

            array_push( $ignore_errors, $hash );
            $ignore_errors = array_unique( $ignore_errors );
            $ignore_errors = array_filter( $ignore_errors );

            HMWP_Classes_Tools::saveOptions( 'ignore_errors', $ignore_errors );

            wp_redirect( remove_query_arg( array( 'hmwp_nonce', 'action', 'hash' ) ) );

            break;
    }
}
// File: classes/Error.php

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/hide-my-wp/5.5.04/classes/Error.php	2025-01-06 13:10:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/hide-my-wp/7.0.00/classes/Error.php	2026-03-31 07:53:16.000000000 +0000
@@ -108,25 +140,25 @@
 	 */
 	public function action() {
 
+		// Check if the current user has the 'hmwp_manage_settings' capability
 		if ( ! HMWP_Classes_Tools::userCan( HMWP_CAPABILITY ) ) {
 			return;
 		}
 
-		switch ( HMWP_Classes_Tools::getValue( 'action' ) ) {
-			case 'hmwp_ignoreerror':
-				$hash = HMWP_Classes_Tools::getValue( 'hash' );
+		if ( HMWP_Classes_Tools::getValue( 'action' ) == 'hmwp_ignoreerror' ) {
+			$hash = HMWP_Classes_Tools::getValue( 'hash' );
 
-				$ignore_errors = (array) HMWP_Classes_Tools::getOption( 'ignore_errors' );
+			$ignore_errors = (array) HMWP_Classes_Tools::getOption( 'ignore_errors' );
 
-				array_push( $ignore_errors, $hash );
-				$ignore_errors = array_unique( $ignore_errors );
-				$ignore_errors = array_filter( $ignore_errors );
+			$ignore_errors[] = $hash;
+			$ignore_errors   = array_unique( $ignore_errors );
+			$ignore_errors   = array_filter( $ignore_errors );
 
-				HMWP_Classes_Tools::saveOptions( 'ignore_errors', $ignore_errors );
+			HMWP_Classes_Tools::saveOptions( 'ignore_errors', $ignore_errors );
 
-				wp_redirect( remove_query_arg( array( 'hmwp_nonce', 'action', 'hash' ) ) );
-
-				break;
+			if ( wp_safe_redirect( esc_url_raw( remove_query_arg( array( 'hmwp_nonce', 'action', 'hash' ) ) ) ) ) {
+				exit;
+			}
 		}
 	}

Exploit Outline

The exploit targets the 'hmwp_ignoreerror' action registered in the admin interface. An attacker crafts a malicious request to the WordPress admin panel (e.g., admin.php or admin-post.php) containing the action 'hmwp_ignoreerror', a valid 'hmwp_nonce', and a 'hash' parameter. Because remove_query_arg() defaults to using the current request URI when no URL is provided, and the code subsequently calls wp_redirect() without validation, an attacker can manipulate the host header or request URI to include an external domain (e.g., //evil.com). When an authenticated administrator follows the link, the plugin processes the request and redirects the user to the attacker-specified external domain.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.