The plugin doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen.
Set HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR or any other header in LoginNoCaptcha::get_ip_address() which is then checked against the whitelist and Google reCaptcha. The only caveat on this PoC is that attacker must know the list of IP addresses added to the allow list. This can be done by luring administrators to fake pages, but increases the complexity of the attack.
BYPASS
Daniel Ruf
Daniel Ruf
Yes
2022-08-22 (about 9 months ago)
2022-08-22 (about 9 months ago)
2023-05-11 (about 23 days ago)