WordPress Plugin Vulnerabilities
WP Limit Login Attempts <= 2.6.5 - IP Spoofing
Description
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based restrictions on login forms.
Proof of Concept
Set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR as used in wp_limit_getip() to spoof the IP address and bypass the block.
Affects Plugins
References
CVE
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-27 (about 1 years ago)
Added
2022-12-27 (about 1 years ago)
Last Updated
2024-03-22 (about 1 months ago)