WordPress Plugin Vulnerabilities

All In One Login 2.0.8 - IP Sooofing to Protection Mechanism Bypass

Description

The plugin is vulnerable to IP Address Spoofing due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass login protection.

Affects Plugins

Plugin icon
change-wp-admin-login
Fixed in 2.0.9

References

CVE
CVE-2025-58595
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/42dacd44-f676-4d2d-ad7d-9dc5b4af6d8a

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
R1sky
Verified
No
WPVDB ID
7c919274-09dc-4659-8d98-f83d52a50f10

Timeline

Publicly Published
2025-10-09 (about 7 months ago)
Added
2025-10-16 (about 6 months ago)
Last Updated
2025-10-16 (about 6 months ago)

Other

Published
Title
Published
2023-12-05
Title
WP Photo Album Plus < 8.6.01.005 - IP Spoofing
Published
2023-12-27
Title
Rate my Post < 3.4.3 - IP Spoofing
Published
2025-03-21
Title
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder < 6.0.0 - IP-Spoofing
Published
2023-11-21
Title
Maspik – Spam blacklist < 0.10.4 - IP Validation Bypass
Published
2024-06-18
Title
WP Maintenance < 6.1.9.3 - IP Spoofing to Maintenance Mode Bypass