VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 25, 2014· Updated May 6, 2026

CVE-2014-6230

CVE-2014-6230

Description

WP-Ban plugin before 1.6.4 for WordPress allows remote attackers to bypass IP blacklist by sending a crafted X-Forwarded-For header.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WP-Ban plugin before 1.6.4 for WordPress allows remote attackers to bypass IP blacklist by sending a crafted X-Forwarded-For header.

Vulnerability

The WP-Ban plugin for WordPress, versions before 1.6.4, retrieves the client IP address from the X-Forwarded-For HTTP header when available, without verifying whether the web server configuration strips or replaces such headers. This design flaw allows an attacker to bypass the IP blacklist by simply sending a spoofed X-Forwarded-For header. The plugin does not warn administrators about this dependency, making it effective only in certain server configurations [1][2][3][4].

Exploitation

An attacker with network access to the WordPress site can send an HTTP request with a crafted X-Forwarded-For header containing an IP address that is not on the blacklist. No authentication or special privileges are required. For example, if the banned IP is 127.0.0.1, executing curl http://localhost/ -H 'X-Forwarded-For: 999.999.999.999' will display the page instead of the ban message [3][4].

Impact

Successful exploitation allows an attacker to bypass IP-based access restrictions enforced by the plugin. This can lead to unauthorized access to content or functionality that the administrator intended to block. The CVSS score is 5.0 (Medium) with a vector of AV:N/AC:L/Au:N/C:P/I:N/A:N, indicating partial confidentiality impact but no integrity or availability impact [3][4].

Mitigation

Upgrade to WP-Ban version 1.6.4 or later, which introduces a new 'reverse proxy' option that lets administrators choose whether to check the X-Forwarded-For header. If a reverse proxy is in use, check the 'I am using a reverse proxy' box in the plugin settings and ensure the proxy sets the X-Forwarded-For header even when the request already contains one. No other workarounds are available [1][2][3][4].

References
  1. WP-Ban
  2. WP-Ban
  3. Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations (WordPress plugin)
  4. Vulnerability in WP-Ban allows visitors to bypass the IP blacklist in some configurations – dxw advisories

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Wp Ban Project/Wp Ban2 versions
    cpe:2.3:a:wp-ban_project:wp-ban:*:*:*:*:*:wordpress:*:*+ 1 more
    • cpe:2.3:a:wp-ban_project:wp-ban:*:*:*:*:*:wordpress:*:*range: <=1.6.3
    • (no CPE)range: <1.6.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The plugin trusts the X-Forwarded-For HTTP header as the source IP without validating whether the server configuration guarantees its authenticity, allowing an attacker to spoof a non-banned IP."

Attack vector

An attacker can bypass the IP blacklist by sending a crafted `X-Forwarded-For` header containing an arbitrary IP address that is not on the ban list [ref_id=1][ref_id=2]. The plugin trusts this header as the source IP when it is present, so a banned user simply includes `X-Forwarded-For: 999.999.999.999` (or any non-banned IP) in their HTTP request [ref_id=1]. This attack is only effective when the web server configuration does not strip or overwrite incoming `X-Forwarded-For` headers [ref_id=1][ref_id=2]. The precondition is network access to the WordPress site and the ability to set arbitrary HTTP headers [CWE-20].

Affected code

The WP-Ban plugin (versions before 1.6.4) reads the visitor's IP address from the `X-Forwarded-For` HTTP header when that header is present [ref_id=1][ref_id=2]. The advisory does not specify the exact PHP function or file path responsible for this logic, but the flaw lies in the IP-address retrieval code that trusts the `X-Forwarded-For` header without validating whether the web server has already stripped or replaced it [ref_id=1].

What the fix does

The advisory states that upgrading to version 1.6.4 or later fixes the vulnerability [ref_id=1][ref_id=2]. The patch is not included in the bundle, but the mitigation guidance explains that administrators using a reverse proxy should check the "I am using a reverse proxy" box in the plugin settings and ensure the proxy sets the `X-Forwarded-For` header even when the request already carries one [ref_id=1][ref_id=2]. This closes the bypass by making the plugin only trust the header when the server environment guarantees it has been sanitized by the proxy.

Preconditions

  • configThe web server must not strip or overwrite incoming X-Forwarded-For headers
  • networkAttacker must be able to send arbitrary HTTP headers to the WordPress site
  • configThe WP-Ban plugin must be configured with an IP blacklist

Reproduction

1. Visit `http://localhost/wp-admin/admin.php?page=wp-ban/ban-options.php` and set "Banned IPs" to `127.0.0.1`. 2. Run `curl http://localhost/` — confirm the "You Are Banned" message appears. 3. Run `curl http://localhost/ -H 'X-Forwarded-For: 999.999.999.999'` — observe that the page content is displayed, bypassing the ban [ref_id=1][ref_id=2]. Note: this will not work if the web server sets or strips `X-Forwarded-For` headers [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.