WordPress IP spoofing vulnerabilities (4)
-
DOS through IP spoofing – (Limit Login Attempts Reloaded <= 2.25.5)
An attacker can exploit this to ban legitimate users or the site’s own reverse proxy from making requests to the wp-login endpoint which prevents anybody from logging into the site.
-
DOS through IP spoofing – (WP fail2ban <= 4.4.0.6)
The plugin is vulnerable to IP spoofing if the user makes use of the trusted proxies functionality in the plugin. An attacker can exploit this by banning search engine crawlers, the site’s reverse proxy, or legitimate users at the fail2ban level.
-
DOS through IP spoofing – (SecuPress <= 2.2.2)
The plugin uses the current IP address to rate-limit and/or ban users based on their IP address. However, the implementation is vulnerable to IP spoofing, so an attacker can ban arbitrary IP addresses. This can be exploited by banning search engine crawlers, the site’s reverse proxy, or legitimate users.
-
DOS through IP spoofing – (Magic Login Pro <= 1.4.1)
The plugin uses the current IP address to rate limit login requests. The implementation is vulnerable to IP spoofing, which an attacker can use to ban arbitrary users or the site’s reverse proxy from accessing the login page.