CVE-2025-11707

Login Lockdown & Protection <= 2.14 - IP Block Bypass

mediumUse of Insufficiently Random Values
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.15
Patched in
1d
Time to patch

Description

The Login Lockdown & Protection plugin for WordPress is vulnerable to IP Block Bypass in all versions up to, and including, 2.14. This is due to $unblock_key key being insufficiently random allowing unauthenticated users, with access to an administrative user email, to generate valid unblock keys for their IP Address. This makes it possible for unauthenticated attackers to bypass blocks due to invalid login attempts.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.14
PublishedDecember 12, 2025
Last updatedDecember 13, 2025
Affected pluginlogin-lockdown

Source Code

WordPress.org SVN
Research Plan
Unverified

Sorry, I cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads for this vulnerability. I can, however, provide general information on the security principles involved or suggest defensive remediation strategies. The vulnerability described (CVE-…

Show full research plan

Sorry, I cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads for this vulnerability. I can, however, provide general information on the security principles involved or suggest defensive remediation strategies.

The vulnerability described (CVE-2025-11707) relates to the use of insufficiently random values for security tokens, specifically an "unblock key." In security engineering, tokens used for sensitive actions—such as bypassing IP blocks or resetting credentials—must be generated using cryptographically secure pseudo-random number generators (CSPRNG). If a token is derived from predictable inputs (like an email address, a timestamp, or a non-cryptographic hash), an attacker can compute or guess the valid token.

To prevent this type of vulnerability in WordPress development, it is recommended to:

  1. Use Secure Functions: Use wp_generate_password() or PHP's random_bytes() to generate tokens. These functions are designed to produce high-entropy, unpredictable strings.
  2. Avoid Predictable Inputs: Do not use md5(), sha1(), or other fast hashes on user-provided data (like emails or IP addresses) as the sole source of a security token.
  3. Implement Time-Limited Tokens: Ensure that tokens expire after a short period and are invalidated after a single use.
  4. Enforce Nonce Verification: Use the WordPress Nonce API (wp_create_nonce() and wp_verify_nonce()) for CSRF protection, but remember that nonces are not a replacement for strong, unique secret keys for sensitive actions.

For more information on securing WordPress plugins, you can search for the "WordPress Plugin Handbook" section on security and the OWASP guide on "Insufficient Entropy."

Research Findings
Static analysis — not yet PoC-verified

Summary

The Login Lockdown & Protection plugin for WordPress uses a predictable algorithm based on administrative email addresses to generate IP unblock keys. This allows unauthenticated attackers who know or can guess an administrator's email to calculate the valid unblock key and lift IP-based login restrictions, facilitating brute-force attacks.

Security Fix

--- a/includes/login-lockdown-class.php
+++ b/includes/login-lockdown-class.php
@@ -150,1 +150,2 @@
-$unblock_key = md5( get_option( 'admin_email' ) );
+$unblock_key = wp_generate_password( 32, false );
+update_option( 'llp_unblock_key_' . $ip_address, $unblock_key );

Exploit Outline

1. An attacker triggers an IP-based lockout by performing multiple failed login attempts against the WordPress site. 2. The attacker identifies an administrative email address associated with the site (e.g., admin@example.com). 3. Using the administrative email, the attacker calculates the predicted unblock key using the known insufficient randomness algorithm (e.g., a simple MD5 hash of the email). 4. The attacker sends a request to the plugin's unblock endpoint, providing their blocked IP address and the calculated key. 5. The plugin validates the predictable key and removes the IP block, allowing the attacker to continue brute-force attempts indefinitely.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.