CVE-2020-35590

Name of the Vulnerable Software and Affected Versions limit-login-attempts-reloaded plugin versions prior to 2.17.4 for WordPress

Description The issue allows a bypass of rate limits per IP address because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user can perform a brute force attack without being limited, as the client IP header accepts any arbitrary string. This is possible when randomizing the header input, resulting in the login count never reaching the maximum allowed retries.

Recommendations For limit-login-attempts-reloaded plugin versions prior to 2.17.4, update to version 2.17.4 or later to resolve the issue. As a temporary workaround, consider disabling the acceptance of arbitrary headers for the client source IP address until a patch is available. Restrict access to the LimitLoginAttempts.php file to minimize the risk of exploitation. Avoid using the X-Forwarded-For header in the affected plugin until the issue is resolved.