WordfenceCVE-2022-4533CVE-2022-4533
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
17.8%
The Limit Login Attempts Plus plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1.0. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| felixmoira | limit_login_attempts_plus | * | cpe:2.3:a:felixmoira:limit_login_attempts_plus:*:*:*:*:*:wordpress:*:* |
CNA Affected
[
{
"vendor": "devfelixmoira",
"product": "Limit Login Attempts Plus – WordPress Limit Login Attempts By Felix",
"versions": [
{
"version": "*",
"status": "affected",
"lessThanOrEqual": "1.1.0",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
17.8%