CVE-2022-4537

Name of the Vulnerable Software and Affected Versions The Hide My WP Ghost – Security Plugin plugin for WordPress versions up to, and including, 5.0.18

Description The issue is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.

Recommendations For versions up to, and including, 5.0.18, consider restricting the use of the X-Forwarded-For header until a patch is available. As a temporary workaround, review and update request logging and login restriction settings to minimize the risk of exploitation.