DoLogin Security < 3.7 - IP Spoofing
Description
The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/DoLogin Security plugindescription
- Range: <3.7
Patches
Vulnerability mechanics
Root cause
"The plugin trusts the X-Forwarded-For HTTP header to determine the client IP address without validation, enabling IP spoofing."
Attack vector
An attacker can spoof their IP address by injecting a crafted `X-Forwarded-For` header into the HTTP request [ref_id=1]. The plugin trusts this header without verification, allowing the attacker to impersonate any arbitrary IP address [CWE-290]. This could bypass IP-based access controls or logging mechanisms that the plugin relies on.
Affected code
The advisory does not specify exact files or functions. The plugin uses HTTP headers such as `X-Forwarded-For` to retrieve the client IP address [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 3.7 of the DoLogin Security plugin [ref_id=1]. No patch diff is provided, but the fix likely involves validating or discarding untrusted proxy headers and instead using a reliable source for the client IP, such as the direct socket connection.
Preconditions
- networkThe attacker must be able to send HTTP requests to the WordPress site with arbitrary headers.
- configThe DoLogin Security plugin must be installed and active with a version prior to 3.7.
Reproduction
The advisory does not include a detailed proof of concept, only noting that the plugin uses headers such as `X-Forwarded-For` to retrieve the IP address [ref_id=1]. No reproduction steps are documented in the bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/28613fc7-1400-4553-bcc3-24df1cee418emitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.