WordPress Plugin Vulnerabilities

Limit Login Attempts Reloaded < 2.17.4 - Login Rate Limiting Bypass

Description

When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests.

Affects Plugins

Plugin icon
limit-login-attempts-reloaded
Fixed in 2.17.4

References

CVE
CVE-2020-35590
URL
https://n4nj0.github.io/advisories/wordpress-plugin-limit-login-attempts-reloaded/

Miscellaneous

Original Researcher
n4nj0
Verified
No
WPVDB ID
66dbc019-ba09-4a3f-a16d-fa04eea99ea8

Timeline

Publicly Published
2020-12-14 (about 5 years ago)
Added
2020-12-21 (about 5 years ago)
Last Updated
2020-12-22 (about 5 years ago)

Other

Published
Title
Published
2021-04-21
Title
iThemes Security Free (< 7.9.1) & Pro (< 6.8.4) - Hide Backend Bypass
Published
2021-11-30
Title
LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS
Published
2022-09-26
Title
Drag and Drop Multiple File Upload < 1.3.6.5 - File Upload Size Limit Bypass
Published
2020-03-18
Title
Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints
Published
2022-11-21
Title
All In One WP Security & Firewall < 5.0.8 - IP Spoofing