WordPress Plugin Vulnerabilities

Login Lockdown & Protection < 2.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary IP Whitelisting

Description

The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet.

Affects Plugins

Plugin icon
login-lockdown
Fixed in 2.12

References

CVE
CVE-2025-3766
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ac9a3848-f486-475b-b2c7-ea1007bb30d3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
7b2696b2-d72c-4fe5-ba66-e80eccdbf9cd

Timeline

Publicly Published
2025-05-06 (about 1 year ago)
Added
2025-05-06 (about 1 year ago)
Last Updated
2025-05-07 (about 1 year ago)

Other

Published
Title
Published
2025-03-11
Title
Block Spam By Math Reloaded <= 2.2.4 - Missing Authorization
Published
2023-12-27
Title
weForms < 1.6.19 - Missing Authorization via export_form_entries
Published
2026-02-18
Title
BackWPup < 5.6.3 - BackWPup Helper+ Privilege Escalation via Arbitrary Options Update
Published
2024-02-28
Title
WPvivid Backup and Migration < 0.9.69 - Unauthenticated SQLi & DoS
Published
2024-12-02
Title
ARForms <= 6.4.1 - Missing Authorization to Plugin Settings Change