CVE-2020-35590
N/A
N/A
Summary
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://n4nj0.github.io/advisories/wordpress-plugin-limit-login-attempts-reloaded/
- https://wordpress.org/plugins/limit-login-attempts-reloaded/#developers
References
- https://n4nj0.github.io/advisories/wordpress-plugin-limit-login-attempts-reloaded/
- https://wordpress.org/plugins/limit-login-attempts-reloaded/#developers
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.