9.8
CVE-2020-35590
- EPSS 4.35%
- Veröffentlicht 21.12.2020 07:15:14
- Zuletzt bearbeitet 21.11.2024 05:27:39
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginLimit Login Attempts Reloaded <= 2.17.3 - Login Rate Limiting Bypass
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
Mögliche Gegenmaßnahme
Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention: Update to version 2.17.4, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Limitloginattempts ≫ Limit Login Attempts Reloaded SwPlatformwordpress Version < 2.17.4
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention
Version
*-2.17.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.35% | 0.9 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-307 Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
https://n4nj0.github.io/advisories/wordpress-plugin-limit-login-attempts-reloaded/
https://wordpress.org/plugins/limit-login-attempts-reloaded/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/669c50b8-316c-4f63-8b78-361cfcfd4d5f