IP Address Spoofing Vulnerability in Hide My WP Ghost Security Plugin for WordPress
CVE-2022-4537

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Hide My WP Ghost – Security Plugin
Vendor: CVE Published:; 9 May 2023

Summary

The Hide My WP Ghost – Security Plugin for WordPress is susceptible to IP Address Spoofing due to inadequate restrictions governing the retrieval of IP address information for request logging and login limit enforcement. This vulnerability enables attackers to manipulate the X-Forwarded-For header to present a misleading IP address, which may subsequently bypass any settings that would normally prevent that IP from accessing the system. As a result, unauthorized users can gain access where they should otherwise be blocked.

Affected Version(s)

Hide My WP Ghost – Security Plugin * <= 5.0.18

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/hide-my-wp/tag...

https://plugins.trac.wordpress.org/browser/hide-my-wp/tru...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 9, 2023
Vulnerability Reserved
Dec 16, 2022

Credit

Mohammadreza Rashidi