CVE-2022-4533

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Limit Login Attempts Plus plugin for WordPress versions up to, and including, 1.1.0

Description The issue arises from insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. This allows attackers to supply the X-Forwarded-For header with a different IP Address that will be logged, potentially bypassing settings that block specific IP addresses or countries from logging in.

Recommendations For versions up to, and including, 1.1.0, consider disabling the IP Address logging feature until a patch is available, or restrict access to the login functionality to minimize the risk of exploitation. Avoid relying solely on the X-Forwarded-For header for IP Address information.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-348

Related Identifiers

CVE-2022-4533

Affected Products

Wp Limit Login Attempts

CVE-2022-4533

Weakness Enumeration

Related Identifiers

Affected Products

References · 9