DOS through IP spoofing – (Magic Login Pro <= 1.4.1)

| in

Affected pluginMagic Login Pro
Active installsUnknown
Vulnerable version<= 1.4.1
Audited version1.4.1
Fully patched version1.5
Recommended remediationUpgrade to version 1.5 or higher


The plugin uses the current IP address to rate limit login requests.
The implementation is vulnerable to IP spoofing, which an attacker can use to ban arbitrary users or the site’s reverse proxy from accessing the login page.

Proof of concept

The plugin uses the “get_client_ip” function everywhere it needs access to the current IP address.

function get_client_ip() {
	if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {

	return $_SERVER['REMOTE_ADDR'];

This method blindly reads the IP address from the X-Forwarded-For header which is entirely user-controlled.

Proposed patch

This is described in great length in this article of us.

Summary: Only ever use REMOTE_ADDR to access to current IP.


Vendor contactedSeptember 07, 2022
First ResponseSeptember 07, 2022
Fully patched atSeptember 12, 2022
Publicly disclosedApril 24, 2023


  • The vendor has shown exceptional cooperation and implemented our proposed patches within less than four business days.
  • The vendor did not hide the vulnerability in his release notes and urged all users to update immediately.

Leave a Reply

Your email address will not be published. Required fields are marked *