WordPress Plugin Vulnerabilities

Antispam Bee < 2.11.4 - IP Address Spoofing via get_client_ip

Description

The Antispam Bee plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.11.3 due to use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass country blocking.

Affects Plugins

Plugin icon
antispam-bee
Fixed in 2.11.4

References

CVE
CVE-2023-41134
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fb102891-b4a8-4089-b70c-43866ad85b7b

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
195de3b7-d1d9-4fd2-804d-33a87f72e2ea

Timeline

Publicly Published
2023-11-27 (about 2 years ago)
Added
2023-12-07 (about 2 years ago)
Last Updated
2023-12-07 (about 2 years ago)

Other

Published
Title
Published
2024-03-28
Title
Newsletter < 8.2.1 - IP Spoofing
Published
2023-11-21
Title
Maspik – Spam blacklist < 0.10.4 - IP Validation Bypass
Published
2025-02-11
Title
Admin and Site Enhancements (ASE) < 7.6.10 - Limit Login Attempt Bypass via IP Spoofing
Published
2023-12-27
Title
Branda < 3.4.15 - IP Spoofing
Published
2024-01-10
Title
WordPress Manutenção < 1.0.7 - IP Spoofing to Maintenance Mode Bypass