IP Address Spoofing Vulnerability in WordPress Login and Registration Attempts Limit Plugin
CVE-2022-4532

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Login And Registration Attempts Limit
Vendor: CVE Published:; 17 August 2024

What is CVE-2022-4532?

The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is susceptible to IP address spoofing due to inadequate measures in restricting the source of IP address logging. This vulnerability allows attackers to manipulate the X-Forwarded-For header to log a misleading IP address. As a result, attackers can bypass login restrictions intended to block specific IP addresses from gaining access. This security oversight highlights the importance of effective IP address verification methods in safeguarding user authentication processes within WordPress sites.

Affected Version(s)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/login-attempts...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 17, 2024
Vulnerability Reserved
Dec 15, 2022

Credit

Mohammadreza Rashidi