The plugin uses the current IP address to rate-limit and/or ban users based on their IP address. However, the implementation is vulnerable to IP spoofing, so an attacker can ban arbitrary IP addresses. This can be exploited by banning search engine crawlers, the site’s reverse proxy, or legitimate users.