Admin and Site Enhancements (ASE) < 7.6.10 - Limit Login Attempt Bypass via IP Spoofing

Vulnerability

The Admin and Site Enhancements (ASE) WordPress plugin versions before 7.6.10 retrieve the client IP address from potentially untrusted HTTP headers such as X-Forwarded-For. This design flaw allows an attacker to manipulate the IP value, thereby bypassing the plugin's login limit feature, which relies on the IP address to count and restrict failed login attempts [1].

Exploitation

An attacker with network access to the WordPress site can send login requests while spoofing the client IP via headers like X-Forwarded-For. By varying the spoofed IP for each request, the attacker can avoid triggering the login limit threshold, enabling unlimited brute-force attempts without authentication or user interaction [1].

Impact

Successful exploitation allows an attacker to perform unlimited brute-force login attempts against WordPress user accounts. If a weak password is guessed, the attacker gains unauthorized access to the WordPress admin panel, potentially leading to full site compromise [1].

Mitigation

The vulnerability is fixed in version 7.6.10 of the Admin and Site Enhancements plugin. Users should update to this version immediately. No workarounds are documented, and the issue is not listed on CISA's Known Exploited Vulnerabilities catalog [1].