CVE-2022-4537

MEDIUM

Hide My WP Ghost - Security Plugin <5.0.18 - Info Disclosure

Title source: llm

Description

The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131

Product

https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve

Scores

CVSS v3 6.5

EPSS 0.0032

EPSS Percentile 23.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-345 CWE-348

Status published

Products (2)

johndarrel/WP Ghost (Hide My WP Ghost) – Security & Firewall < 5.0.18

wpplugins/hide_my_wp_ghost < 5.0.18

Published May 09, 2023

Tracked Since Feb 18, 2026