Medium severity5.3NVD Advisory· Published Oct 8, 2024· Updated Apr 15, 2026

CVE-2022-4534

Description

The Limit Login Attempts (Spam Protection) plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.3. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/wp-limit-failed-login-attempts/tags/5.3/login.phpnvd
plugins.trac.wordpress.org/changeset/3163023/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/561ec1b2-ee26-4e0c-b437-d70b04be5b4cnvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000