Description

A flaw was found in Wordpress 5.1. "X-Forwarded-For" is a HTTP header used to carry the client's original IP address. However, because these headers may very well be added by the client to the requests, if the systems/devices use IP addresses which decelerate at X-Forwarded-For header instead of original IP, various issues may be faced. If the data originating from these fields is trusted by the application developers and processed, any authorization checks originating IP address logging could be manipulated.

Remediation

References

CVE-2020-35539

Related Vulnerabilities

WordPress Plugin WP Import Export Lite Security Bypass (3.9.4)

PHP Improper Access Control Vulnerability (CVE-2016-5385)

Ruby Improper Input Validation Vulnerability (CVE-2009-5147)

WordPress Plugin TI WooCommerce Wishlist Security Bypass (1.21.11)

WordPress Plugin Wp2android-webapp native mobile app builder free (android, IOs, Winphone mobile App) Arbitrary File Upload (1.1.4)

Severity

Critical

Classification

CVE-2020-35539 CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities