WordPress Plugin Vulnerabilities

WP Maintenance < 6.1.9.3 - IP Spoofing to Maintenance Mode Bypass

Description

The plugin is vulnerable to IP Address Spoofing due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass maintenance mode.

Affects Plugins

Plugin icon
wp-maintenance
Fixed in 6.1.9.3

References

CVE
CVE-2024-0789
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8f6bbaa1-c50f-4dad-9e5b-04bdffd4a0ae

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Hoa Le Ngoc (lengochoa)
Verified
No
WPVDB ID
91e192f8-9ebe-4084-87ea-03f4e7d2811f

Timeline

Publicly Published
2024-06-18 (about 1 year ago)
Added
2024-06-24 (about 1 year ago)
Last Updated
2024-06-24 (about 1 year ago)

Other

Published
Title
Published
2023-08-28
Title
DoLogin Security < 3.7 - IP Spoofing
Published
2024-01-10
Title
WordPress Manutenção < 1.0.7 - IP Spoofing to Maintenance Mode Bypass
Published
2025-10-24
Title
Password Protected < 2.7.12 - Unauthenticated Authorization Bypass via IP Address Spoofing
Published
2024-05-08
Title
Site Reviews < 7.0.0 - IP Spoofing
Published
2023-11-21
Title
Maspik – Spam blacklist < 0.10.4 - IP Validation Bypass