Lucene search

WpvulndbWPEX-ID:44B3ABD0-B4E7-416C-BF1E-A2520F202385

HistoryFeb 12, 2024 - 12:00 a.m.

Login Lockdown – Protect Login Form < 2.09 - Subscriber+ Options Leak

2024-02-1200:00:00

wpvulndb

protect

subscriber

options leak

url

vulnerable site

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

9.4

Confidence

High

EPSS

Percentile

15.5%

JSON

Description The plugin does not prevent logged-in users of any role (e.g. subscribers) from leaking its settings, which may include allowlisted IP addresses as well as a global unlock key, with which they could add their own IP address to the plugin’s list.

As a logged-in subscriber, visit the following URL:

https://vulnerablesite.tld/wp-admin/?action=loginlockdown_export_settings

References

www.wordfence.com/threat-intel/vulnerabilities/id/34021007-b5d3-479b-a0d4-50e301f22c9c

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

9.4

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for WPEX-ID:44B3ABD0-B4E7-416C-BF1E-A2520F202385