Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2020-35590 PoC — WordPress limit-login-attempts-reloaded 安全漏洞

Source
https://github.com/N4nj0/CVE-2020-35590
Associated Vulnerability
Title:WordPress limit-login-attempts-reloaded 安全漏洞 (CVE-2020-35590)
Description:LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
Description
Brute-force tool for WordPress Plugin Limit Login Attempts Reloaded >=2.13.0 - Login Limit Bypass (CVE-2020-35590)
Readme
## Exploit Information

**Exploit Title:** WordPress Plugin Limit Login Attempts Reloaded 2.13.0 - Login Limit Bypass  
**CVE:** [CVE-2020-35590](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35590)  
**Date:** 2020-06-09  
**Exploit Author:** N4nj0  
**Software Link:** [https://wordpress.org/plugins/limit-login-attempts-reloaded/](https://wordpress.org/plugins/limit-login-attempts-reloaded/)  
**Version:** 2.13.0  
**Tested on:** WordPress 5.4.1, 5.4.2  
**Vulnerability Advisory:** [https://n4nj0.github.io/advisories/wordpress-plugin-limit-login-attempts-reloaded/](https://n4nj0.github.io/advisories/wordpress-plugin-limit-login-attempts-reloaded/)  

The affected WordPress plugin is aimed to be a bruteforce attack protection mechanism, and is currently installed in more than **1 million** of active installations.  
I've found a rate limiting bypass under a non-default configuration, which effectively defeats the plugin purpose.  

## Usage

### Check

`./wp-brute.py -c -u http://wordpress -H X-Forwarded-For -l admin -P /usr/share/wordlists/rockyou.txt`  
`./wp-brute.py --check --url http://wordpress --header X-Forwarded-For --login admin --passwordlist /usr/share/wordlists/rockyou.txt --quiet`  

### Exploit
`./wp-brute.py -e -u http://wordpress -H X-Forwarded-For -l admin -P /usr/share/wordlists/rockyou.txt -q`  
`./wp-brute.py --exploit --url http://wordpress --header X-Forwarded-For --login admin --passwordlist /usr/share/wordlists/rockyou.txt --quiet`  

### Manually unlock user
`mysql -uroot -ppassword wordpress -e "UPDATE wp_options SET option_value = '' WHERE option_name = 'limit_login_lockouts' LIMIT 1;"`
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →