Vulnerabilities > CVE-2020-35590 - Improper Restriction of Excessive Authentication Attempts vulnerability in Limitloginattempts Limit Login Attempts Reloaded

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

limitloginattempts

CWE-307

NVD

Published: 2020-12-21

Updated: 2020-12-22

Summary

LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.

Vulnerable Configurations

Part	Description	Count
Application	Limitloginattempts Limitloginattempts Limit Login Attempts Reloaded *	1

Common Weakness Enumeration (CWE)

CWE-307 - Improper Restriction of Excessive Authentication Attempts

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References