CVE-2020-35590
📋 TL;DR
This vulnerability allows attackers to bypass rate limiting in the WordPress Limit Login Attempts Reloaded plugin by forging the X-Forwarded-For header. When the plugin is configured to use arbitrary headers for IP detection, attackers can perform unlimited brute force login attempts. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- WordPress Limit Login Attempts Reloaded plugin
📦 What is this software?
Limit Login Attempts Reloaded by Limitloginattempts
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover through unlimited brute force attacks against WordPress admin and user accounts, potentially leading to site compromise, data theft, and malware installation.
Likely Case
Successful brute force attacks against weak passwords, leading to unauthorized access to WordPress accounts and potential privilege escalation.
If Mitigated
Limited impact if strong passwords, multi-factor authentication, and additional security layers are in place, though brute force attempts may still consume server resources.
🎯 Exploit Status
Exploitation requires simple HTTP header manipulation. Public proof-of-concept demonstrates the bypass technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.17.4 and later
Vendor Advisory: https://wordpress.org/plugins/limit-login-attempts-reloaded/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Limit Login Attempts Reloaded'. 4. Click 'Update Now' if available, or manually update to version 2.17.4+. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable custom IP header configuration
allConfigure plugin to use REMOTE_ADDR instead of X-Forwarded-For or custom headers
Implement web application firewall rules
allBlock or rate limit requests with suspicious X-Forwarded-For header patterns
🧯 If You Can't Patch
- Disable the plugin entirely and use alternative login protection methods
- Implement network-level rate limiting at the load balancer or firewall
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Limit Login Attempts Reloaded → Version. If version is below 2.17.4 and using custom IP headers, you are vulnerable.Check Version:
wp plugin list --name=limit-login-attempts-reloaded --field=versionVerify Fix Applied:
Confirm plugin version is 2.17.4 or higher in WordPress admin panel. Test that rate limiting works correctly with various IP headers.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from same IP with varying X-Forwarded-For headers
- Unusually high login attempt volume bypassing rate limits
Network Indicators:
- HTTP requests with rapidly changing X-Forwarded-For headers
- Sustained brute force patterns against login endpoints
SIEM Query:
source="wordpress.log" AND "wp-login.php" AND "X-Forwarded-For" AND status=401 | stats count by src_ip, X-Forwarded-For🔗 References
- https://n4nj0.github.io/advisories/wordpress-plugin-limit-login-attempts-reloaded/
- https://wordpress.org/plugins/limit-login-attempts-reloaded/#developers
- https://n4nj0.github.io/advisories/wordpress-plugin-limit-login-attempts-reloaded/
- https://wordpress.org/plugins/limit-login-attempts-reloaded/#developers
