CVE-2021-36916

Name of the Vulnerable Software and Affected Versions Hide My WP WordPress plugin versions <= 6.2.3

Description The issue arises from how the IP address is retrieved and used in a SQL query. The hmwp get user ip function attempts to retrieve the IP address from multiple headers, including IP address headers that can be spoofed by the user, such as X-Forwarded-For. This allows a malicious payload supplied in one of these IP address headers to be directly inserted into the SQL query, making SQL injection possible.

Recommendations For versions <= 6.2.3, consider updating to a version greater than 6.2.3 to resolve the issue. As a temporary workaround, consider restricting access to the hmwp get user ip function until a patch is available. Avoid using the X-Forwarded-For header in the affected SQL query until the issue is resolved.