CVE-2012-10001
📋 TL;DR
The Limit Login Attempts WordPress plugin before version 1.7.1 fails to clear authentication cookies when locking out users after failed login attempts. This allows attackers to continue brute-force attacks even after lockout triggers, potentially compromising WordPress admin accounts. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- WordPress Limit Login Attempts plugin
📦 What is this software?
Limit Login Attempts by Limit Login Attempts Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass lockout protection entirely, brute-force admin credentials, gain full site control, and potentially compromise the entire server infrastructure.
Likely Case
Attackers successfully brute-force WordPress admin or user accounts, leading to site defacement, data theft, or malware installation.
If Mitigated
Attackers can attempt brute-force but proper monitoring detects unusual login patterns and blocks IPs before successful compromise.
🎯 Exploit Status
Exploitation requires only standard HTTP requests to WordPress login endpoints with automated tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.1 and later
Vendor Advisory: https://wordpress.org/plugins/limit-login-attempts/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Limit Login Attempts plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install fresh version 1.7.1+ from WordPress repository.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable Limit Login Attempts plugin until patched version can be installed
wp plugin deactivate limit-login-attempts
Implement web application firewall rules
linuxBlock excessive login attempts at network perimeter
# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -m recent --name wp_login --set
# iptables -A INPUT -p tcp --dport 80 -m recent --name wp_login --update --seconds 60 --hitcount 10 -j DROP
🧯 If You Can't Patch
- Replace with alternative login security plugin like Wordfence or iThemes Security
- Implement IP-based rate limiting at web server level (nginx rate_limit or Apache mod_evasive)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Limit Login Attempts → Version number. If version is below 1.7.1, system is vulnerable.Check Version:
wp plugin get limit-login-attempts --field=versionVerify Fix Applied:
Confirm plugin version is 1.7.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from same IP without lockout
- Successful admin login after many failed attempts from same IP
Network Indicators:
- High volume of POST requests to /wp-login.php from single IP
- Login attempts continuing after expected lockout period
SIEM Query:
source="wordpress.log" AND "POST /wp-login.php" | stats count by src_ip | where count > 10