LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate lim…
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
https://cwe.mitre.org/data/definitions/307.html →Open in CWE collection →https://capec.mitre.org/data/definitions/16.html →Open in CAPEC collection →
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
https://capec.mitre.org/data/definitions/49.html →Open in CAPEC collection →https://capec.mitre.org/data/definitions/560.html →Open in CAPEC collection →
https://capec.mitre.org/data/definitions/565.html →Open in CAPEC collection →
https://capec.mitre.org/data/definitions/600.html →Open in CAPEC collection →
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
https://capec.mitre.org/data/definitions/652.html →Open in CAPEC collection →An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.
https://capec.mitre.org/data/definitions/653.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| limit_login_attempts_reloaded | * | Tracked |