WordPress Plugin Vulnerabilities

IP Based Login < 2.4.1 - Log Deletion via CSRF

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users delete all logs via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
ip-based-login
Fixed in 2.4.1

References

CVE
CVE-2024-13118

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
eba6f98e-b931-4f02-b190-ca855a674839

Timeline

Publicly Published
2025-03-04 (about 10 months ago)
Added
2025-03-04 (about 10 months ago)
Last Updated
2025-03-04 (about 10 months ago)

Other

Published
Title
Published
2025-12-04
Title
User Generator and Importer <= 1.2.2 - Cross-Site Request Forgery to Privilege Escalation via Arbitrary Administrator Account Creation
Published
2024-11-01
Title
Naver Blog <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-05
Title
Notification for Telegram <= 3.4.6 - Cross-Site Request Forgery
Published
2025-09-22
Title
WP Attractive Donations System < 1.29 - Cross-Site Request Forgery
Published
2024-11-09
Title
The Events Calendar < 6.7.1 - Trashed Events Restoration via CSRF