MEDIUM🇬🇧 English

CVE-2024-1340

CVSS 5.4v3.1pub. 2024-02-29upd. 2026-04-08

The Login Lockdown – Protect Login Form plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the generate_export_file function in all versions up to, and including, 2.08. This makes it possible for authenticated attackers, with subscriber access and higher, to export this plugin's settings that include whitelisted IP addresses as well as a global unlock key. With the global unlock key an attacker can add their IP address to the whitelist.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • Webfactoryltd Wp Login Lockdown

    APP
    Webfactoryltd
    < 2.09
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2023-50837HIGH7.6ten sam produkt

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebFacto...

CVE-2020-7048CRITICAL9.1ten sam vendor

The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to ...

CVE-2019-19915CRITICAL9.0ten sam vendor

The "301 Redirects - Easy Redirect Manager" plugin before 2.45 for WordPress allows users (with subscriber or ...

CVE-2021-36908HIGH8.8ten sam vendor

Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions.

CVE-2021-36909HIGH8.8ten sam vendor

Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows ...