WordPress Plugin Vulnerabilities

Branda < 3.4.15 - IP Spoofing

Description

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 3.4.14 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass comment allow/deny lists.

Affects Plugins

Plugin icon
branda-white-labeling
Fixed in 3.4.15

References

CVE
CVE-2023-51542
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/552bc1cc-df98-4608-a50e-db1381ca8e0a

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Brandon James Roldan (tomorrowisnew)
Verified
No
WPVDB ID
b2665df8-8458-4758-aad2-f1cfa36694bf

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-04 (about 2 years ago)

Other

Published
Title
Published
2024-01-10
Title
WordPress Manutenção < 1.0.7 - IP Spoofing to Maintenance Mode Bypass
Published
2023-12-05
Title
WP Photo Album Plus < 8.6.01.005 - IP Spoofing
Published
2024-03-28
Title
IP Blocker Lite <= 11.1.1 - IP Spoofing
Published
2024-06-18
Title
WP Maintenance < 6.1.9.3 - IP Spoofing to Maintenance Mode Bypass
Published
2023-09-01
Title
Activity Log < 2.8.8 - IP Spoofing