CVE-2026-22201

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTPCLIENTIP or HTTPXFORWARDEDFOR headers to spoof their IP address and circumvent...

CVE-2026-33690

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getRealIpAddr function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-base...

CVE-2026-33690

WWBN AVideo (open source video platform) versions up to 26.0 contain a vulnerability in getRealIpAddr() in objects/functions.php that trusts user-controlled HTTP headers to derive the client IP. An attacker can spoof their IP by sending forged headers, potentially bypassing IP-based access contro...

CVE-2016-20031

CVE-2016-20031 affects ZKTeco ZKBioSecurity 3.0 (visLogin.jsp). The vulnerability enables a local authorization bypass by spoofing localhost requests; EnvironmentUtil.getClientIp() maps IPv6 loopback 0:0:0:0:0:0:0:1 to 127.0.0.1 and uses that IP as the username with a hardcoded password (123456) ...

CVE-2026-0692

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's WCGeolocation::getipaddress function to validate IPN requests, which trusts user-controllable...

CVE-2023-50463

The caddy-geo-ip aka GeoIP middleware through 0.6.0 for Caddy 2, when trustheader X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism trustedproxy directive in reverseproxy or IP address range restrictio...

CVE-2025-13694 AA Block country <= 1.0.1 - Unauthenticated IP Address Spoofing via X-Forwarded-For Header

The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTPXFORWARDEDFOR to determine the client's IP address without proper validation or considering if the server is...

PT-2026-1604

Name of the Vulnerable Software and Affected Versions AA Block Country plugin for WordPress versions up to and including 1.0.1 Description The AA Block Country plugin for WordPress is susceptible to IP Address Spoofing. The plugin relies on user-provided headers, specifically the HTTP X FORWARDED...

Signal K Server Vulnerable to Access Request Spoofing

The SignalK access request system has two related features that when combined by themselves and with the infromation disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: clientId,...

CVE-2025-15154

A security vulnerability has been detected in PbootCMS up to 3.2.12. The affected element is the function getuserip of the file core/function/handle.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to use of less trusted source. The attack can be initiat...

WordPress plugin g-FFL Cockpit 授权问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin.... An authorization...

CVE-2025-12039

The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for...

CVE-2025-12039 BigBuy Dropshipping Connector for WooCommerce <= 2.0.5 - Unauthenticated IP Spoofing to phpinfo() Exposure

The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for...

EUVD-2025-198393

The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for...

PT-2025-47708

The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for...

Security Bulletin: Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management

Summary Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management have been addressed in 2.3 FP12 Vulnerability Details CVEID:CVE-2024-51504 DESCRIPTION: When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this onl...

CVE-2025-12094 OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.53 - Unauthenticated IP Header Spoofing

The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments No CAPTCHA plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers such as CF-Connecting-IP, X-Forwarded-For,...

CVE-2025-12094 OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.53 - Unauthenticated IP Header Spoofing

The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments No CAPTCHA plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers such as CF-Connecting-IP, X-Forwarded-For,...

CVE-2025-11244

CVE-2025-11244 affects the WordPress Password Protected plugin (versions ≤ 2.7.11). The vulnerability arises because the plugin trusts client-controlled HTTP headers (eg, X-Forwarded-For, HTTP_CLIENT_IP) in pp_get_ip_address() when the Use transients option is enabled, enabling an unauthenticated...

EUVD-2025-35905

The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers such as X-Forwarded-For, HTTPCLIENTIP, and similar headers to determine user IP...