WordPress Plugin Vulnerabilities

Login Block IPs <= 1.0.0 - IP Spoofing Bypass

Description

The function check_is_login_page() uses headers for the IP check, which can be easily spoofed.

Proof of Concept

Set HTTP_CLIENT_IP to bypass blocks / use allowed IP addresses.

Affects Plugins

Plugin icon
login-block-ips
No known fix

References

CVE
CVE-2022-1579

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
6f3d40fa-458b-44f0-9407-763e80b29668

Timeline

Publicly Published
2022-10-28 (about 1 years ago)
Added
2022-10-28 (about 1 years ago)
Last Updated
2022-10-28 (about 1 years ago)

Other

Published
Title
Published
2023-08-04
Title
User Access Manager < 2.2.18 - IP Spoofing
Published
2023-12-27
Title
RegistrationMagic < 5.2.5.1 - Form Submission Limit Bypass
Published
2015-05-02
Title
Slideshow 2.2.8-2.2.21 - Option Value Disclosure
Published
2024-02-01
Title
UserPro < 5.1.7 - Disabled Membership Registration Bypass
Published
2021-09-13
Title
WooCommerce Multi Currency < 2.1.18 - Authenticated Product Price Change