Hide My WP Ghost < 7.0.00 - Unauthenticated Open Redirect
Description
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Open Redirect in all versions up to 7.0.00 (exclusive). This is due to insufficient validation on a redirect url. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v7.0.00
Source Code
WordPress.org SVN```markdown # Exploitation Research Plan - CVE-2026-39484 (Unauthenticated Open Redirect) ## 1. Vulnerability Summary The **WP Ghost (Hide My WP Ghost)** plugin for WordPress is vulnerable to an **Unauthenticated Open Redirect** in versions up to 7.0.00. The vulnerability exists because the plugin'…
Show full research plan
# Exploitation Research Plan - CVE-2026-39484 (Unauthenticated Open Redirect)
## 1. Vulnerability Summary
The **WP Ghost (Hide My WP Ghost)** plugin for WordPress is vulnerable to an **Unauthenticated Open Redirect** in versions up to 7.0.00. The vulnerability exists because the plugin's action-handling logic (specifically in classes like `HMWP_Classes_Error`) uses `wp_redirect()` on the current URL (derived via `remove_query_arg`) without sufficient validation. An attacker can craft a malicious URL containing an encoded external target that, when processed by the plugin's admin-area hooks, triggers a redirection to an untrusted site.
## 2. Attack Vector Analysis
- **Endpoint:** `/wp-admin/admin-post.php` or `/wp-admin/admin-ajax.php`
- **Action:** `hmwp_ignoreerror` (and potentially other actions registered in `HMWP_Classes_Action::getActionsTable()`).
- **Parameters:**
- `action=hmwp_ignoreerror`
- `hmwp_nonce=[NONCE]`
- `hash=[ANY_VALUE]`
- **Authentication:** Unauthenticated (PR:N). While the code resides in the admin area, unauthenticated users can access `admin-post.php` and `admin-ajax.php`. The redirect relies on a User Interaction (UI:R) where a logged-in administrator
Summary
The Hide My WP Ghost plugin for WordPress is vulnerable to an Open Redirect via the 'hmwp_ignoreerror' action. This occurs because the plugin uses the non-pluggable wp_redirect() function on a URL derived from the current request via remove_query_arg() without validating the destination, allowing attackers to redirect authenticated administrators to malicious external sites.
Vulnerable Code
/** * Run the actions on submit * * @throws Exception */ public function action() { if ( ! HMWP_Classes_Tools::userCan( HMWP_CAPABILITY ) ) { return; } switch ( HMWP_Classes_Tools::getValue( 'action' ) ) { case 'hmwp_ignoreerror': $hash = HMWP_Classes_Tools::getValue( 'hash' ); $ignore_errors = (array) HMWP_Classes_Tools::getOption( 'ignore_errors' ); array_push( $ignore_errors, $hash ); $ignore_errors = array_unique( $ignore_errors ); $ignore_errors = array_filter( $ignore_errors ); HMWP_Classes_Tools::saveOptions( 'ignore_errors', $ignore_errors ); wp_redirect( remove_query_arg( array( 'hmwp_nonce', 'action', 'hash' ) ) ); break; } } // File: classes/Error.php
Security Fix
@@ -108,25 +140,25 @@ */ public function action() { + // Check if the current user has the 'hmwp_manage_settings' capability if ( ! HMWP_Classes_Tools::userCan( HMWP_CAPABILITY ) ) { return; } - switch ( HMWP_Classes_Tools::getValue( 'action' ) ) { - case 'hmwp_ignoreerror': - $hash = HMWP_Classes_Tools::getValue( 'hash' ); + if ( HMWP_Classes_Tools::getValue( 'action' ) == 'hmwp_ignoreerror' ) { + $hash = HMWP_Classes_Tools::getValue( 'hash' ); - $ignore_errors = (array) HMWP_Classes_Tools::getOption( 'ignore_errors' ); + $ignore_errors = (array) HMWP_Classes_Tools::getOption( 'ignore_errors' ); - array_push( $ignore_errors, $hash ); - $ignore_errors = array_unique( $ignore_errors ); - $ignore_errors = array_filter( $ignore_errors ); + $ignore_errors[] = $hash; + $ignore_errors = array_unique( $ignore_errors ); + $ignore_errors = array_filter( $ignore_errors ); - HMWP_Classes_Tools::saveOptions( 'ignore_errors', $ignore_errors ); + HMWP_Classes_Tools::saveOptions( 'ignore_errors', $ignore_errors ); - wp_redirect( remove_query_arg( array( 'hmwp_nonce', 'action', 'hash' ) ) ); - - break; + if ( wp_safe_redirect( esc_url_raw( remove_query_arg( array( 'hmwp_nonce', 'action', 'hash' ) ) ) ) ) { + exit; + } } }
Exploit Outline
The exploit targets the 'hmwp_ignoreerror' action registered in the admin interface. An attacker crafts a malicious request to the WordPress admin panel (e.g., admin.php or admin-post.php) containing the action 'hmwp_ignoreerror', a valid 'hmwp_nonce', and a 'hash' parameter. Because remove_query_arg() defaults to using the current request URI when no URL is provided, and the code subsequently calls wp_redirect() without validation, an attacker can manipulate the host header or request URI to include an external domain (e.g., //evil.com). When an authenticated administrator follows the link, the plugin processes the request and redirects the user to the attacker-specified external domain.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.