WordPress Plugin Vulnerabilities

FluentAuth < 1.0.2 - Bypass blocks by IP Spoofing

Description

The plugin prioritizes getting a visitor's IP address from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass the IP-based blocks set by the plugin.

Proof of Concept

Affects Plugins

Plugin icon
fluent-security
Fixed in 1.0.2

References

CVE
CVE-2022-4746

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com
Verified
Yes
WPVDB ID
62e3babc-00c6-4a35-972f-8f03ba70ba32

Timeline

Publicly Published
2022-12-27 (about 2 years ago)
Added
2022-12-27 (about 2 years ago)
Last Updated
2022-12-28 (about 2 years ago)

Other

Published
Title
Published
2020-03-04
Title
WooCommerce Smart Coupons < 4.6.5 - Unauthenticated Coupon Creation
Published
2016-06-21
Title
WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
Published
2015-04-20
Title
Crayon Syntax Highlighter 2.0 - 2.6.10 - Defacement
Published
2019-04-10
Title
Yuzo Related Posts < 5.12.94 - Unauthenticated Call Any Action or Update Any Option
Published
2017-01-11
Title
WordPress 4.7 - User Information Disclosure via REST API