If the option βIβm behind a proxyβ is enabled, the visitor IP is read from X-Forwarded-For header, stored & printed in the admin panel without any sanitization / validation.
PoC
Set the X-Forwarded-For header to , and perform an incorrect login.