This can be done by creating a link like this one: https://example.com/wp-login.php?redirect_to=%2Ffake-user-account.php
Because the user is not authenticated, the WP login page will be displayed with a login form without any login or password fields. The user can then complete the fake account creation and login with predefined information.
To prevent this attack vector, the following actions can be taken: - When creating links to wp-admin pages, consider using https:// instead of http://, as this will prevent unauthenticated user from clicking on the link. - Restricting access to wp-admin pages to authenticated users only. - Restricting access to wp-login.php to authenticated users only, by using the login_manager plugin.
Timeline
Published on: 09/14/2022 11:15:00 UTC
Last modified on: 09/30/2022 19:15:00 UTC