WordPress Plugin Vulnerabilities

Login Lockdown & Protection < 2.15 - IP Block Bypass

Description

The plugin is vulnerable to IP Block Bypass due to $unblock_key key being insufficiently random allowing unauthenticated users, with access to an administrative user email, to generate valid unblock keys for their IP Address. This makes it possible for unauthenticated attackers to bypass blocks due to invalid login attempts.

Affects Plugins

Plugin icon
login-lockdown
Fixed in 2.15

References

CVE
CVE-2025-11707
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9c732ea2-0263-4b18-9aa4-29e387b26362

Miscellaneous

Original Researcher
William Cooke
Verified
No
WPVDB ID
803f4f92-e5c0-4bf9-8a9d-447fc54d0efc

Timeline

Publicly Published
2025-12-12 (about 6 months ago)
Added
2025-12-12 (about 6 months ago)
Last Updated
2025-12-12 (about 6 months ago)

Other

Published
Title
Published
2020-09-22
Title
Ninja Forms < 3.4.27.1 - Validation Bypass via Email Field
Published
2022-08-31
Title
Restricted Site Access < 7.3.2 - Access Bypass via IP Spoofing
Published
2017-01-11
Title
WordPress 4.7 - User Information Disclosure via REST API
Published
2024-04-22
Title
Appointment Hour Booking < 1.4.57 - Captcha Bypass
Published
2020-01-21
Title
WordPress <= 5.2.3 - Hardening Bypass