CVE-2022-4097
All-In-One Security (AIOS) – Security and Firewall <= 5.0.8 - IP Spoofing to Protection Mechanism Bypass
mediumUse of Less Trusted Source
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
5.0.8
Patched in
428d
Time to patch
Description
The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.8. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NAttack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
Low
Integrity
None
Availability
Technical Details
Affected versions
<=5.0.7PublishedNovember 21, 2022
Last updatedJanuary 22, 2024
Affected pluginall-in-one-wp-security-and-firewall
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.