WordPress Plugin Vulnerabilities

coreActivity < 2.1 - Unauthenticated IP Spoofing

Description

The plugin retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value

Proof of Concept

As unauthenticated: curl 'https://example.com/attacker' -H 'X-FORWARDED: 127.0.0.1'

Then view the logs and note that the plugin display the IP of the request as 127.0.0.1

Affects Plugins

Plugin icon
coreactivity
Fixed in 2.1

References

CVE
CVE-2024-0868

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
bb7c2d2b-cdfe-433b-96cf-714e71d12b22

Timeline

Publicly Published
2024-03-27 (about 1 months ago)
Added
2024-03-27 (about 1 months ago)
Last Updated
2024-03-27 (about 1 months ago)

Other

Published
Title
Published
2023-11-21
Title
Maspik – Spam blacklist < 0.10.4 - IP Validation Bypass
Published
2023-12-27
Title
RegistrationMagic < 5.2.5.1 - IP Spoofing
Published
2024-05-08
Title
Site Reviews < 7.0.0 - IP Spoofing
Published
2023-11-27
Title
Antispam Bee < 2.11.4 - IP Address Spoofing via get_client_ip
Published
2024-01-10
Title
WordPress Manutenção < 1.0.7 - IP Spoofing to Maintenance Mode Bypass