Login Lockdown & Protection < 2.12 – Missing Authorization to Authenticated (Subscriber+) Arbitrary IP Whitelisting | CVE 2025-3766 | Plugin Vulnerabilities

Description

The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet.

Affects Plugins

Fixed in 2.12

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ac9a3848-f486-475b-b2c7-ea1007bb30d3

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

7b2696b2-d72c-4fe5-ba66-e80eccdbf9cd

Timeline

Publicly Published

2025-05-06 (about 1 year ago)

Added

2025-05-06 (about 1 year ago)

Last Updated

2025-05-07 (about 1 year ago)

Other

Published

Title

Published

2024-06-06

Title

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor < 2.0.6.2 - Missing Authorization to MA Template Creation or Modification

Published

2023-03-10

Title

RapidLoad Power-Up for Autoptimize < 1.7.2 - Multiple Subscriber+ Unauthorised AJAX Calls

Published

2022-07-22

Title

WP Libre Form 2-2.0.8 - Unauthenticated Arbitrary Submissions Listing & Deletion

Published

2025-01-24

Title

CoBlocks < 3.1.14 - Missing Authorization

Published

2024-05-07

Title

weDocs < 2.1.5 - Missing Authorization