Cyber Resilience

CVE-2023-5089

MediumPublic PoC

Published: 16 October 2023

Published
16 October 2023
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.8312 99.3th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5089 is a medium-severity an unspecified weakness vulnerability in Wpmudev Defender Security. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Defender Security WordPress plugin before version 4.1.0 is affected by a flaw that fails to block redirects to the login page initiated through WordPress's auth_redirect function. This occurs even when the plugin's hide login page feature is enabled, allowing unauthenticated visitors to reach the login page.

An unauthenticated attacker can exploit the issue over the network by triggering the redirect behavior, resulting in disclosure of the otherwise hidden login page URL and a partial confidentiality impact. The vulnerability carries a CVSS 3.1 score of 5.3.

Public references from WPScan and Sprocket Security document the issue but provide no additional mitigation details beyond upgrading the plugin.

The associated EPSS score has reached 0.8312.

EU & UK References

Vulnerability details

The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is…

more

enabled.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpmudev
defender security
≤ 4.1.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References