WordPress Plugin Vulnerabilities

Login No Captcha reCAPTCHA < 1.7 - IP Check Bypass

Description

The plugin doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen.

Proof of Concept

Set HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR or any other header in LoginNoCaptcha::get_ip_address() which is then checked against the whitelist and Google reCaptcha.
The only caveat on this PoC is that attacker must know the list of IP addresses added to the allow list. This can be done by luring administrators to fake pages, but increases the complexity of the attack.

Affects Plugins

Plugin icon
login-recaptcha
Fixed in 1.7

References

CVE
CVE-2022-2913

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
5231ac18-ea9a-4bb9-af9f-e3d95a3b54f1

Timeline

Publicly Published
2022-08-22 (about 1 years ago)
Added
2022-08-22 (about 1 years ago)
Last Updated
2023-05-11 (about 6 months ago)

Other

Published
Title
Published
2016-12-31
Title
XCloner - Backup and Restore < 3.1.5 - Authenticated Path Traversal
Published
2020-09-22
Title
Ninja Forms < 3.4.27.1 - Validation Bypass via Email Field
Published
2015-12-14
Title
Admin Management Xtended <= 2.4.0 - Privilege Escalation
Published
2019-08-27
Title
WP Private Content Plus <= 1.31 - Unauthenticated Options Change
Published
2017-02-01
Title
WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API