CVE-2022-4533

MEDIUM

Limit Login Attempts Plus <1.1.0 - SSRF

Title source: llm

Description

The Limit Login Attempts Plus plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1.0. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.

References (2)

Core 2

Core References

Issue Tracking

https://plugins.trac.wordpress.org/browser/limit-login-attempts-plus/trunk/core/LimitLoginAttempts.php#L1043

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/aec7b59f-1c8a-4403-b33b-c119bd96ad9d?source=cve

Scores

CVSS v3 5.3

EPSS 0.0021

EPSS Percentile 11.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-345 CWE-348

Status published

Products (2)

devfelixmoira/Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix < 1.1.0

devfelixmoira/limit_login_attempts_plus < 1.1.0

Published Sep 19, 2024

Tracked Since Feb 18, 2026