WordPress Plugin Vulnerabilities

DoLogin Security < 3.7.1 - Subscriber+ IP Address leak

Description

The plugin does not restrict the access of a widget that shows the IPs of failed logins to low privileged users.

Proof of Concept

Just login to subscriber account and go to: http://localhost/wp-admin/index.php#log

Affects Plugins

Plugin icon
dologin
Fixed in 3.7.1

References

CVE
CVE-2023-4800

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bartlomiej Marek and Tomasz Swiadek
Submitter
Bartlomiej Marek
Verified
Yes
WPVDB ID
7eae1434-8c7a-4291-912d-a4a07b73ee56

Timeline

Publicly Published
2023-09-21 (about 7 months ago)
Added
2023-09-21 (about 7 months ago)
Last Updated
2023-09-21 (about 7 months ago)

Other

Published
Title
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Information Disclosure
Published
2021-03-03
Title
User Profile Picture < 2.5.0 - Sensitive Information Disclosure
Published
2023-11-30
Title
CF7 Google Sheets Connector < 5.0.6 - Unauthenticated Sensitive Information Exposure via Debug Log
Published
2023-06-08
Title
Metform Elementor Contact Form Builder < 3.3.2 - Multiple Subscriber+ Sensitive Information Disclosure Issues
Published
2022-06-17
Title
GiveWP < 2.21.0 - Donor Information Disclosure