Login Lockdown – Protect Login Form < 2.09 – Subscriber+ Options Leak | CVE 2024-1340

Description

The plugin does not prevent logged-in users of any role (e.g. subscribers) from leaking its settings, which may include allowlisted IP addresses as well as a global unlock key, with which they could add their own IP address to the plugin's list.

Proof of Concept

As a logged-in subscriber, visit the following URL:

https://vulnerablesite.tld/wp-admin/?action=loginlockdown_export_settings

Affects Plugins

Fixed in 2.09

References

CVE

CVE-2024-1340

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/34021007-b5d3-479b-a0d4-50e301f22c9c

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Lucio Sá

Verified

Yes

WPVDB ID

44b3abd0-b4e7-416c-bf1e-a2520f202385

Timeline

Publicly Published

2024-02-09 (about 2 years ago)

Added

2024-02-12 (about 2 years ago)

Last Updated

2024-02-12 (about 2 years ago)

Other

Published

Title

Published

2023-02-24

Title

Apollo13 Framework Extensions < 1.9.0 - Missing Authorization

Published

2025-04-18

Title

Grand Restaurant WordPress <= 7.0 - Missing Authorization

Published

2024-08-12

Title

WHMpress <= 6.2-revision-5 - Missing Authorization to Authenticated (Subscriber+) Settings Update

Published

2025-09-03

Title

Malcure Malware Scanner < 16.9 - Missing Authorization

Published

2026-01-28

Title

WP-CORS <= 0.2.2 - Missing Authorization