CVE-2020-35590
Limit Login Attempts Reloaded <= 2.17.3 - Login Rate Limiting Bypass
highImproper Restriction of Excessive Authentication Attempts
7.3
CVSS Score
7.3
CVSS Score
high
Severity
2.17.4
Patched in
1135d
Time to patch
Description
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LAttack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
Low
Integrity
Low
Availability
Technical Details
Affected versions
<=2.17.3PublishedDecember 14, 2020
Last updatedJanuary 22, 2024
Affected pluginlimit-login-attempts-reloaded
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.