{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39484", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:37.759Z", "datePublished": "2026-04-08T08:30:10.796Z", "dateUpdated": "2026-04-29T09:52:01.908Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "hide-my-wp", "product": "Hide My WP Ghost", "vendor": "John Darrel", "versions": [{"changes": [{"at": "7.0.00", "status": "unaffected"}], "lessThanOrEqual": "7.0.00", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Or Benit | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.696Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.<p>This issue affects Hide My WP Ghost: from n/a through < 7.0.00.</p>"}], "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.This issue affects Hide My WP Ghost: from n/a through < 7.0.00."}], "impacts": [{"capecId": "CAPEC-98", "descriptions": [{"lang": "en", "value": "Phishing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.908Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-7-0-00-open-redirection-vulnerability?_s_id=cve"}], "title": "WordPress Hide My WP Ghost plugin < 7.0.00 - Open Redirection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:08:20.582290Z", "id": "CVE-2026-39484", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:08:46.015Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39484", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:08:20.582290Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:07:04.852Z"}}], "cna": {"title": "WordPress Hide My WP Ghost plugin < 7.0.00 - Open Redirection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Or Benit | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-98", "descriptions": [{"lang": "en", "value": "Phishing"}]}], "affected": [{"vendor": "John Darrel", "product": "Hide My WP Ghost", "versions": [{"status": "affected", "changes": [{"at": "7.0.00", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "7.0.00"}], "packageName": "hide-my-wp", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:57.696Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-7-0-00-open-redirection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.This issue affects Hide My WP Ghost: from n/a through < 7.0.00.", "supportingMedia": [{"type": "text/html", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.<p>This issue affects Hide My WP Ghost: from n/a through < 7.0.00.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:10.796Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39484", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:08:46.015Z", "dateReserved": "2026-04-07T10:47:37.759Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:10.796Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.This issue affects Hide My WP Ghost: from n/a through < 7.0.00."}], "id": "CVE-2026-39484", "lastModified": "2026-04-24T18:08:35.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:23.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-7-0-00-open-redirection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.00)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "7.0.00"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Hide My WP Ghost", "source": "cna", "vendor": "John Darrel"}, "product": "hide_my_wp_ghost", "vendor": "john_darrel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T18:04:12.981068+00:00", "value": {"mitigation_remediation": ["Update Hide My WP Ghost to version 7.0.00 or newer.", "If the update cannot be applied immediately, disable or restrict the plugin\u2019s redirect functionality to trusted destinations.", "Verify that the website does not expose the vulnerable redirect in publicly reachable URLs.", "Monitor users for phishing attempts originating from your domain."], "summary": {"action": "Patch", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "The issue impacts the WordPress Hide My WP Ghost plugin developed by John Darrel. All versions prior to 7.0.00 are affected. No specific minor revisions are listed, so any release before the 7.0.00 line is vulnerable.", "description_and_impact": "A vulnerability in the Hide My WP Ghost plugin for WordPress allows an attacker to redirect users to an arbitrary, untrusted website. This open redirection flaw can be employed to deliver phishing pages, spread malware, or facilitate credential theft. The weakness is identified as CWE\u2011601 and affects the plugin's internal URL handling logic.", "risk_and_exploitability": "The CVSS score is 4.7, indicating moderate severity, while the EPSS score is below 1%, suggesting a low probability of exploit. The vulnerability is not catalogued in the CISA Known Exploited Vulnerabilities list. The most likely attack vector is a crafted URL that leverages the plugin\u2019s redirect feature; based on the description, this is inferred rather than explicitly stated."}}}}, "created": "2026-04-08T19:30:45.387431+00:00", "updated": "2026-04-15T16:15:11.945935+00:00", "vendors": ["john_darrel", "john_darrel$PRODUCT$hide_my_wp_ghost", "wordpress", "wordpress$PRODUCT$wordpress"]}