CVE-2022-4100
📋 TL;DR
The WP Cerber Security plugin for WordPress versions up to 9.4 contains an IP protection bypass vulnerability. Attackers can circumvent IP blocking by setting the X-Forwarded-For HTTP header to an unblocked IP address. This affects all WordPress sites using vulnerable versions of the WP Cerber plugin.
💻 Affected Systems
- WP Cerber Security, Anti-spam & Malware Scan
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass all IP-based security controls, gaining access to blocked resources, performing brute force attacks, or accessing admin areas despite being on blocklists.
Likely Case
Attackers bypass IP blocking to access restricted content, perform comment spam, or attempt login attacks from blocked IP ranges.
If Mitigated
Limited impact if other security layers exist, but IP-based blocking becomes unreliable for targeted attacks.
🎯 Exploit Status
Exploitation requires only HTTP header manipulation, making it trivial for attackers with basic knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.5 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2865322/wp-cerber/trunk/cerber-common.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Cerber Security. 4. Click 'Update Now' if available. 5. If not, download version 9.5+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Web Server IP Validation
allConfigure web server to validate X-Forwarded-For headers or use trusted proxy configuration
# For Apache: SetEnvIf X-Forwarded-For "^.*$" invalid_header
# For Nginx: valid_referers none blocked server_names; if ($invalid_referer) { return 403; }
Disable IP Blocking Temporarily
allTemporarily disable WP Cerber IP blocking until patched
# In WP Cerber settings: Disable 'IP Access Lists' feature
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block suspicious X-Forwarded-For header patterns
- Use additional IP blocking at network/firewall level instead of relying solely on plugin
🔍 How to Verify
Check if Vulnerable:
Check WP Cerber plugin version in WordPress admin panel under Plugins > Installed PluginsCheck Version:
# In WordPress: wp plugin list --name=wp-cerber --field=versionVerify Fix Applied:
After updating, test IP blocking functionality with X-Forwarded-For header set to verify blocking works correctly📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from same IP with varying X-Forwarded-For headers
- Blocked IP addresses appearing in access logs with successful requests
Network Indicators:
- HTTP requests with manipulated X-Forwarded-For headers from known malicious IPs
SIEM Query:
source="*access.log*" AND "X-Forwarded-For" AND ("wp-login.php" OR "xmlrpc.php") | stats count by src_ip, X-Forwarded-For