WordPress Plugin Vulnerabilities

Restricted Site Access < 7.3.2 - Access Bypass via IP Spoofing

Description

The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations.

Proof of Concept

Set HTTP_CF_CONNECTING_IP or any of the other headers in get_client_ip_address() to spoof the IP address.

Affects Plugins

Plugin icon
restricted-site-access
Fixed in 7.3.2

References

CVE
CVE-2022-1613

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
c03863ef-9ac9-402b-8f8d-9559c9988e2b

Timeline

Publicly Published
2022-08-31 (about 1 years ago)
Added
2022-08-31 (about 1 years ago)
Last Updated
2022-08-31 (about 1 years ago)

Other

Published
Title
Published
2024-03-29
Title
VS Contact Form < 14.8 - CAPTCHA Bypass
Published
2022-04-07
Title
SiteGround Security < 1.2.6 - Authorization Weakness to Authentication Bypass via 2-FA Back-up Codes
Published
2019-04-11
Title
YellowPencil Visual CSS Style Editor <= 7.2.0 - Unauthenticated Arbitrary Options Updates
Published
2022-12-27
Title
WP Limit Login Attempts <= 2.6.5 - IP Spoofing
Published
2023-12-27
Title
RegistrationMagic < 5.2.5.1 - Form Submission Limit Bypass