WordPress Plugin Vulnerabilities

Defender Security < 4.4.2 - IP Address Spoofing

Description

The plugin prioritized user-supplied HTTP headers when trying to retrieve a user's IP address, making it possible for them to bypass IP address based restrictions.

Affects Plugins

Plugin icon
defender-security
Fixed in 4.4.2

References

CVE
CVE-2024-25595
URL
https://patchstack.com/database/vulnerability/defender-security/wordpress-defender-security-plugin-4-4-1-ip-restriction-bypass-vulnerability

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
beluga
Verified
No
WPVDB ID
16167be6-2b81-4e96-929e-41d9312ee8a8

Timeline

Publicly Published
2024-02-12 (about 2 years ago)
Added
2024-02-15 (about 2 years ago)
Last Updated
2024-02-15 (about 2 years ago)

Other

Published
Title
Published
2025-10-09
Title
All In One Login 2.0.8 - IP Sooofing to Protection Mechanism Bypass
Published
2024-09-18
Title
Limit Login Attempts Plus <= 1.1.0 - IP Address Spoofing to Protection Mechanism Bypass
Published
2023-09-25
Title
User Activity Log Pro < 2.3.4 - IP Spoofing
Published
2024-03-28
Title
Newsletter < 8.2.1 - IP Spoofing
Published
2024-03-27
Title
coreActivity < 2.1 - Unauthenticated IP Spoofing