Volerion logoVolerion
Volerion logoVolerion

WordPress Login Lockdown & Protection Plugin IP Block Bypass Vulnerability

Vulnerability

A vulnerability exists in the Login Lockdown & Protection plugin for WordPress, affecting all versions up to and including 2.14. The issue arises from the unblock key being inadequately randomized, which allows unauthenticated users with knowledge of an administrative user's email to create valid unblock keys for their own IP addresses. This flaw enables these users to circumvent blocks imposed for excessive invalid login attempts.

Impact

Exploitation of this vulnerability allows unauthenticated users to bypass IP blocks, potentially leading to repeated login attempts and the associated risks of brute-force attacks.

Reproduction

To reproduce this vulnerability, an unauthenticated user must have access to the email address of an administrative user. The user can then request to unblock their IP by generating an unblock key using the exposed email. Once the key is created, it can be used to bypass the login attempt block.

Remediation

Users are advised to update the Login Lockdown & Protection plugin to version 2.15 or a newer patched version.

Added: Dec 13, 2025, 5:27 PM
Updated: Dec 13, 2025, 5:27 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
0.6
exploitability
8.6
remediation
7.7
relevance
1.4
threat
4.8
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.