WordPress Plugin Vulnerabilities

Coming soon and Maintenance mode < 3.7.4 - IP Address Spoofing via get_real_ip

Description

The plugin is vulnerable to IP Address Spoofing due to the use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for attackers to bypass the coming soon mode page and visit the full site by spoofing an allowed IP.

Affects Plugins

Plugin icon
coming-soon-page
Fixed in 3.7.4

References

CVE
CVE-2023-49741
URL
https://patchstack.com/database/vulnerability/coming-soon-page/wordpress-coming-soon-and-maintenance-mode-plugin-3-7-3-ip-filtering-bypass-vulnerability

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
3728adfc-25a5-4c16-80a6-fb20e1d28252

Timeline

Publicly Published
2023-12-01 (about 2 years ago)
Added
2023-12-07 (about 2 years ago)
Last Updated
2024-06-04 (about 1 year ago)

Other

Published
Title
Published
2024-08-16
Title
LOGIN AND REGISTRATION ATTEMPTS LIMIT<= 2.1 - IP Address Spoofing to Protection Mechanism Bypass
Published
2024-04-22
Title
Royal Elementor Addons < 1.3.95 - Unauthenticated IP Spoofing
Published
2024-09-04
Title
Security, Antivirus, Firewall – S.A.F <= 2.3.5 - IP Address Spoofing to Protection Mechanism Bypass
Published
2024-04-22
Title
Giveaways and Contests by RafflePress < 1.12.11 - IP Spoofing
Published
2023-08-14
Title
User Activity Log < 1.6.7 - IP Spoofing