WordPress Plugin Vulnerabilities

WP Photo Album Plus < 8.6.01.005 - IP Spoofing

Description

The plugin does not properly check for IP addresses, allowing attackers to spoof IP addresses via headers and bypass the login protection offered by the plugin

Affects Plugins

Plugin icon
wp-photo-album-plus
Fixed in 8.6.01.005

References

CVE
CVE-2023-49774
URL
https://patchstack.com/database/vulnerability/wp-photo-album-plus/wordpress-wp-photo-album-plus-plugin-8-5-02-005-ip-bypass-vulnerability

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Brandon James Roldan (tomorrowisnew)
Verified
No
WPVDB ID
28d3162e-1874-4fc6-bf4c-3d50eff58c11

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2023-12-13 (about 2 years ago)
Last Updated
2024-02-02 (about 2 years ago)

Other

Published
Title
Published
2023-11-21
Title
Maspik – Spam blacklist < 0.10.4 - IP Validation Bypass
Published
2026-04-29
Title
Otter Blocks < 3.1.5 - Unauthenticated Purchase Verification Bypass via Forged Cookie
Published
2023-09-01
Title
Activity Log < 2.8.8 - IP Spoofing
Published
2023-09-25
Title
User Activity Log Pro < 2.3.4 - IP Spoofing
Published
2023-11-06
Title
Security & Malware scan by CleanTalk < 2.121 - IP Spoofing