WordPress Plugin Vulnerabilities

Wp Ultimate Review < 2.3.7 - IP Spoofing

Description

The plugin is vulnerable to IP Address Spoofing due to insufficient IP address validation and/or use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass IP rate limiting.

Affects Plugins

Plugin icon
wp-ultimate-review
Fixed in 2.3.7

References

CVE
CVE-2024-21746
URL
https://patchstack.com/database/vulnerability/wp-ultimate-review/wordpress-wp-ultimate-review-plugin-2-2-5-ip-limit-bypass-vulnerability

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
86a2fcff-616b-4d3b-8428-b6d2e4a3264c

Timeline

Publicly Published
2024-01-05 (about 2 years ago)
Added
2024-01-12 (about 2 years ago)
Last Updated
2025-12-26 (about 5 months ago)

Other

Published
Title
Published
2024-09-16
Title
Maintenance Redirect < 2.1.0 - IP Spoofing to Maintenance Mode Bypass
Published
2025-02-11
Title
Admin and Site Enhancements (ASE) < 7.6.10 - Limit Login Attempt Bypass via IP Spoofing
Published
2023-08-28
Title
DoLogin Security < 3.7 - IP Spoofing
Published
2024-10-07
Title
Limit Login Attempts (Spam Protection) < 5.4 - IP Address Spoofing to Protection Mechanism Bypass
Published
2024-05-08
Title
Site Reviews < 7.0.0 - IP Spoofing