The Login Lockdown & Protection plugin for WordPress contains an IP block bypass vulnerability in all versions up to 2.14. The flaw originates from the $unblock_key token being insufficiently random, enabling an unauthenticated attacker who knows a legitimate administrative email address to compute a valid unblock key for any IP. By issuing such a key, the attacker can prevent the plugin from blocking the IP after excessive failed login attempts, effectively circumventing the brute‑force mitigation. The immediate effect is that blocks intended to limit attackers are rendered ineffective, which can prolong brute‑force attacks or allow continued access attempts despite blocking logic.

Vulnerable versions include every released build of the Login Lockdown & Protection plugin through version 2.14. The plugin is developed by webfactory and distributed as a WordPress plugin. End‑users running the affected plugin version on their WordPress installation are at risk. No additional operating system or database versions are specified; the issue is confined to the WordPress plugin code itself.

The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. Attackers must first obtain an administrative user email address, which is typically available via publicly exposed email accounts or through other social engineering. Once an email is known, the attacker can compute an unblock key and supply it to the plugin, bypassing the IP block. No local privileges or authentication are required, and the impact is limited to disabling IP‑based blocking rather than enabling further code execution.