CRITICAL : hidden admin login displayed by Elementor

Resolved

(@guillaumemps)

Hello,
This is a very important security issue I think.

Elementor display in the html source page the hidden admin url.

Elementor load some javascript in all pages, and this javacript expose the hidden admin url created by your module:

<script id="elementor-app-loader-js-before">var elementorAppConfig = {"menu_url":"https:\/\/XXXXXXXX.COM\/wp-admin\/admin.php?page=elementor-app&ver=3.32.2#\/site-editor","assets_url":"https:\/\/XXXXXXXX.COM\/wp-content\/plugins\/elementor\/assets\/","pages_url":"https:\/\/XXXXXXXX.COM\/wp-admin\/edit.php?post_type=page","return_url":"https:\/\/XXXXXXXX.COM\/wp-admin\/","hasPro":true,"admin_url":"https:\/\/XXXXXXXX.COM\/wp-admin\/","login_url":"https:\/\/XXXXXXXX.COM\/fr\/HIDDENLOGIN\/","base_url":"https:\/\/XXXXXXXX.COM\/wp-admin\/admin.php?page=elementor-app&ver=3.32.2","home_url":"https:\/\/XXXXXXXX.COM\/fr\/","promotion":{"upgrade_url":"https:\/\/go.elementor.com\/go-pro-theme-builder\/"},"site-editor":[],"import-export":[],"import-export-customization":[],"kit-library":[],"onboarding":[]};</script>

You can see the HIDDENLOGIN url part (I change the strings here for privacy)

Thanks for your help

Viewing 2 replies - 1 through 2 (of 2 total)

demonjrules
(@demonjrules)

5 months, 3 weeks ago

This code you provided is only injected into the HTML when you are logged in on your WordPress instance. If you are not logged in, the code is not there. So this really is not an issue because you would never know about that path unless you were already logged in.

Plugin Support Lea WPServeur
(@leacomm)

5 months, 2 weeks ago

Hi,
Thanks for using WPS Hide Login.
This script is only loaded when you’re logged into your WordPress admin. The custom login URL is never visible to users who aren’t logged in, so it poses no security risk.
Best regards.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.