DOS and allowlist bypass through IP spoofing – (SiteGround Security <= 1.3.0 )

| in

Affected pluginSiteGround Security
Active installs600,000+
Vulnerable version<= 1.3.0
Audited version1.3.0
Fully patched version1.3.1
Recommended remediationUpgrade to version 1.3.1 or higher


The plugin is vulnerable to IP spoofing, which an attacker can abuse the perform a DOS attack on the target site by preventing legitimate users, or the site’s reverse proxy from making requests to the wp-login endpoint.

Alternatively, an attacker can spoof his IP address to bypass all rate-limit restrictions.

Proof of concept

The plugin uses the Helper::get_current_user_ip method everywhere it needs access to the current request’s IP address.

The method looks like this:

public static function get_current_user_ip() {
   $keys = array(
   foreach ( $keys as $key ) {
      // Bail if the key doesn't exists.
      if ( ! isset( $_SERVER[ $key ] ) ) {
      // Bail if the IP is not valid.
      if ( ! filter_var( $_SERVER[ $key ], FILTER_VALIDATE_IP ) ) { //phpcs:ignore
      return preg_replace( '/^::1$/', '', $_SERVER[ $key ] ); //phpcs:ignore
   // Return the local IP by default.
   return '';

Each HTTP header stored in the “$keys” variable is attacker-controlled and can be trivially spoofed.

curl -X POST -d "log=bogus" -d "pwd=bogus" -H "Client-IP:"

The request above will register a rate-limit hit for IP address

Proposed patch

This is described in great length in this article of us.

Summary: Only ever use REMOTE_ADDR to access to current IP.


Vendor contactedSeptember 07, 2022
First ResponseSeptember 12, 2022
Fully patched atSeptember 13, 2022
Publicly disclosedApril 24, 2023


  • The vendor fixed the vulnerability promptly but did not disclose in his release notes that users must update as soon as possible.

Leave a Reply

Your email address will not be published. Required fields are marked *