The plugin checks headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing
1. Send login request with x-forwarded-for: [REDACTED_IP]
2. Show spoofed IP address in the dashboard (OWASP A09:2021 – Security Logging and Monitoring Failures)