WordPress Plugin Vulnerabilities

DoLogin Security < 3.7 - IP Spoofing

Description

The plugin uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing.

Proof of Concept

Affects Plugins

Plugin icon
dologin
Fixed in 3.7

References

CVE
CVE-2023-4631

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bartlomiej Marek and Tomasz Swiadek
Submitter
Bartlomiej Marek
Verified
Yes
WPVDB ID
28613fc7-1400-4553-bcc3-24df1cee418e

Timeline

Publicly Published
2023-08-28 (about 2 years ago)
Added
2023-08-30 (about 2 years ago)
Last Updated
2023-08-30 (about 2 years ago)

Other

Published
Title
Published
2024-06-06
Title
Under Construction / Maintenance Mode from Acurax <= 2.6 - Unauthenticated IP Spoofing
Published
2023-12-01
Title
Coming soon and Maintenance mode < 3.7.4 - IP Address Spoofing via get_real_ip
Published
2024-09-18
Title
Limit Login Attempts Plus <= 1.1.0 - IP Address Spoofing to Protection Mechanism Bypass
Published
2023-11-21
Title
Maspik – Spam blacklist < 0.10.4 - IP Validation Bypass
Published
2024-01-29
Title
User Activity Tracking and Log < 4.1.4 - IP Spoofing