MEDIUM🇵🇱 Wersja polska

CVE-2024-1340

CVSS 5.4v3.1pub. 2024-02-29upd. 2026-04-08

The Login Lockdown – Protect Login Form plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the generate_export_file function in all versions up to, and including, 2.08. This makes it possible for authenticated attackers, with subscriber access and higher, to export this plugin's settings that include whitelisted IP addresses as well as a global unlock key. With the global unlock key an attacker can add their IP address to the whitelist.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • Webfactoryltd Wp Login Lockdown

    APP
    Webfactoryltd
    < 2.09
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-50837HIGH7.6ten sam produkt

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebFacto...

CVE-2020-7048CRITICAL9.1ten sam vendor

The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to ...

CVE-2019-19915CRITICAL9.0ten sam vendor

The "301 Redirects - Easy Redirect Manager" plugin before 2.45 for WordPress allows users (with subscriber or ...

CVE-2021-36908HIGH8.8ten sam vendor

Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions.

CVE-2021-36909HIGH8.8ten sam vendor

Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows ...