Description
The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet.
Published: 2025-05-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized IP Whitelisting
Action: Patch it
AI Analysis

Impact

The Login Lockdown & Protection plug‑in for WordPress contains an authorization bypass that lets any authenticated user with at least Subscriber privileges create a valid nonce and then fashion a global unlock key. That key can be used to add arbitrary IP addresses to the plug‑in's allowlist, effectively circumventing the IP restrictions that the plug‑in is designed to enforce. The flaw stems from a missing capability check in the ajax_run_tool function and is mitigated only when a site administrator has already visited the loginlockdown settings page, which is not a default scenario on new installations.

Affected Systems

This issue affects versions of the webfactory Login Lockdown & Protection plug‑in from the inception of the software through version 2.11 inclusive. Only WordPress sites that have not yet had their site administrator visit the loginlockdown page are vulnerable, as the missing check only operates when the admin‑only mode hasn't been activated.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of active exploitation. The plug‑in is not listed in the CISA KEV catalog, further supporting the notion that the vulnerability is unlikely to have been widely abused. The attack requires the attacker to already be an authenticated user with Subscriber or higher capability within the WordPress installation and the plug‑in must still be running in its default configuration. Under those conditions, the missing authorization check allows the attacker to widen the allowed IP list, giving them persistent or future access that would normally be restricted. The vulnerability is contained to the plug‑in configuration and does not provide remote code execution or database intrusion by itself. However, once an attacker can add an IP to the allowlist, any future unauthenticated exploitation that relies on that IP would succeed, making the flaw a valuable stepping stone for continued compromise.

Generated by OpenCVE AI on April 20, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Login Lockdown & Protection plug‑in to version 2.12 or newer, which removes the missing capability check.
  • If an update cannot be applied immediately, navigate to the loginlockdown settings page as the site administrator to activate admin‑only mode; this disables the vulnerable AJAX endpoint until the plug‑in is upgraded.
  • Should the plug‑in remain vulnerable, consider temporarily disabling the AJAX functionality it exposes or reducing all Subscriber‑level users to a lower capability role, thereby eliminating the ability to generate the required nonce for the unlock key.

Generated by OpenCVE AI on April 20, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13666 The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet.
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00037}

Wed, 07 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet.
Title Login Lockdown & Protection <= 2.11 - Missing Authorization to Authenticated (Subscriber+) Arbitrary IP Whitelisting
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:55.771Z

Reserved: 2025-04-17T13:28:21.186Z

Link: CVE-2025-3766

cve-icon Vulnrichment

Updated: 2025-05-07T13:20:22.734Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T05:15:48.820

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:00:14Z

Weaknesses