Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by krut1
CVE-2022-4532 (GCVE-0-2022-4532)
Vulnerability from cvelistv5 – Published: 2024-08-17 07:34 – Updated: 2026-04-08 16:52
VLAI
Title
LOGIN AND REGISTRATION ATTEMPTS LIMIT<= 2.1 - IP Address Spoofing to Protection Mechanism Bypass
Summary
The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-348 - Use of Less Trusted Source
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| krut1 | LOGIN AND REGISTRATION ATTEMPTS LIMIT |
Affected:
0 , ≤ 2.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T17:10:59.519489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T17:12:44.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LOGIN AND REGISTRATION ATTEMPTS LIMIT",
"vendor": "krut1",
"versions": [
{
"lessThanOrEqual": "2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammadreza Rashidi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348 Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:15.947Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50421e90-ccd6-4896-8041-b99279314301?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-attempts-limit-wp/trunk/includes/Ip.php#L41"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "LOGIN AND REGISTRATION ATTEMPTS LIMIT\u003c= 2.1 - IP Address Spoofing to Protection Mechanism Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4532",
"datePublished": "2024-08-17T07:34:21.670Z",
"dateReserved": "2022-12-15T23:09:13.198Z",
"dateUpdated": "2026-04-08T16:52:15.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}