A flaw was found in Wordpress 5.1. “X-Forwarded-For” is a HTTP header used
to carry the client’s original IP address. However, because these headers
may very well be added by the client to the requests, if the
systems/devices use IP addresses which decelerate at X-Forwarded-For header
instead of original IP, various issues may be faced. If the data
originating from these fields is trusted by the application developers and
processed, any authorization checks originating IP address logging could be
manipulated.