WordPress Plugin Vulnerabilities

WordPress Manutenção < 1.0.7 - IP Spoofing to Maintenance Mode Bypass

Description

The plugin is vulnerable to IP Spoofing due to insufficient validation of IP addresses, allowing unauthenticated attackers to bypass the plugin's maintenance mode restriction via the 'X-Forwarded-For' HTTP header.

Affects Plugins

Plugin icon
wp-manutencao
Fixed in 1.0.7

References

CVE
CVE-2024-22139
URL
https://patchstack.com/database/vulnerability/wp-manutencao/wordpress-wordpress-manutencao-plugin-1-0-6-bypass-vulnerability

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Brandon James Roldan (tomorrowisnew)
Verified
No
WPVDB ID
4bacc9b2-9b65-4fa6-a935-4da17a7e9159

Timeline

Publicly Published
2024-01-10 (about 2 years ago)
Added
2024-01-17 (about 2 years ago)
Last Updated
2024-02-20 (about 2 years ago)

Other

Published
Title
Published
2023-12-27
Title
Branda < 3.4.15 - IP Spoofing
Published
2025-10-30
Title
OOPSpam Anti-Spam < 1.2.54 - Unauthenticated IP Header Spoofing
Published
2023-11-21
Title
Maspik – Spam blacklist < 0.10.4 - IP Validation Bypass
Published
2023-09-25
Title
User Activity Log Pro < 2.3.4 - IP Spoofing
Published
2025-10-24
Title
Password Protected < 2.7.12 - Unauthenticated Authorization Bypass via IP Address Spoofing