WordPress Login Lockdown & Protection Plugin Nonce Vulnerability Allowing IP Whitelisting

A vulnerability exists in the Login Lockdown & Protection plugin for WordPress, affecting all versions through 2.11. The issue arises from a missing capability check in the 'ajax_run_tool' function, allowing authenticated attackers with Subscriber-level access or higher to access a valid nonce. This nonce can be used to create a global unlock key, which in turn can add arbitrary IP addresses to the plugin's allowlist. The vulnerability can only be exploited on new installations where the site administrator has not yet visited the loginlockdown page.

Impact

Exploitation of this vulnerability allows for unauthorized IP whitelisting, potentially bypassing security measures that block or limit access based on login behavior.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher must send a request to the 'ajax_run_tool' function without the proper capability. This can be done by exploiting the missing authorization to access a valid nonce, which can then be used to generate a global unlock key for whitelisting IP addresses.

Remediation

Users are advised to update the Login Lockdown & Protection plugin to version 2.12 or a newer patched version.