WordPress IP spoofing vulnerabilities (10)


  • Audit Log Tampering through IP spoofing – Stream <= 3.9.3

    Affected plugin Stream Active installs 80,000+ Vulnerable version <= 3.9.3 Audited version 3.9.3 Fully patched version 4.0.0 Recommended remediation Upgrade to version 4.0.0 or higher. Description The plugin, utilized for audit and security logging, exhibits a vulnerability whereby malicious actors can easily spoof IP addresses. This is less than ideal, given the plugin’s widespread use…

  • DOS through IP spoofing – (WordFence <= 7.6.2)

    The plugin is vulnerable to IP spoofing if the target site is behind a reverse proxy and WordFence is configured to fetch the IP address from any source besides REMOTE_ADDR (the default). An attacker can exploit this to ban legitimate users, search-engine crawlers, or the site’s reverse proxy.

  • DOS through IP spoofing – (Shield Security <= 16.1.6)

    The plugin is vulnerable to IP spoofing, which an attacker can exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users.

  • DOS through IP spoofing – (All in One WP Security <= 5.0.7)

    The plugin is wide open to IP spoofing, which an attacker can exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users. Alternatively, an attacker can bring down the entire MySQL server by flooding the database with the entire IPv4 range.

  • Trivial comment spam bypass – (All in One WP security <= 5.0.7)

    The plugin relies on “.htaccess files” to block comment spam, which will not work on NGINX servers and can be trivially bypassed through header spoofing.

  • DOS through IP spoofing – (CleanTalk <= 5.184)

    The plugin is wide open to IP spoofing, which an attacker can exploit to permanently ban search engine crawlers, the site’s reverse proxy, or legitimate users locally and in CleanTalk’s remote WAF.

  • DDOS simulation through IP spoofing – (Sucuri Security <= 1.8.35)

    Affected plugin Sucuri Security Active installs 800,000+ Vulnerable version <= 1.8.35 Audited version 1.8.35 Fully patched version – Recommended remediation Never use the plugin without the remote WAF (premium) enabled Description The plugin is vulnerable to IP spoofing if the remote WAF is not enabled. Currently, the (free) plugin is mostly sending alerts and does…

  • DOS through IP spoofing – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin is vulnerable to IP spoofing, which an attacker can continuously exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users. Proof of concept The plugin…

  • DOS through IP spoofing – (iThemes Security <= 8.1.2)

    The plugin is wide open to IP spoofing which an attacker can use to exploit to ban search-engine crawlers, the site’s reverse proxy, or legitimate users.

  • Rate limit bypass through User-Agent spoofing – (miniOrange <= 5.5.82)

    An attacker can bypass the plugin’s WAF rate limiting by spoofing his User-Agent header to one of the names of popular search-engine crawlers.