CVE-2025-3766: CWE-862 Missing Authorization in webfactory Login Lockdown & Protection
The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet.
AI Analysis
Technical Summary
The Login Lockdown & Protection plugin for WordPress suffers from a missing capability check on the ajax_run_tool function in versions up to 2.11. This flaw permits authenticated users with low privileges (Subscriber-level and above) to retrieve a valid nonce. The nonce can then be leveraged to create a global unlock key, which allows adding arbitrary IP addresses to the plugin's allowlist, potentially bypassing login restrictions. This vulnerability only applies to new installations where the administrator has not visited the plugin's loginlockdown page, limiting the attack window.
Potential Impact
An attacker with Subscriber-level access can bypass intended authorization controls to modify the plugin's allowlist by adding arbitrary IP addresses. This could facilitate unauthorized access or bypass of login restrictions enforced by the plugin. The impact is limited to confidentiality and integrity with no availability impact. Exploitation requires authenticated access and is constrained to new installations before administrative interaction with the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, administrators should ensure that the loginlockdown page is accessed promptly after installation to close the exploitation window. Restrict Subscriber-level access where possible and monitor for suspicious activity related to plugin allowlist modifications.
CVE-2025-3766: CWE-862 Missing Authorization in webfactory Login Lockdown & Protection
Description
The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Login Lockdown & Protection plugin for WordPress suffers from a missing capability check on the ajax_run_tool function in versions up to 2.11. This flaw permits authenticated users with low privileges (Subscriber-level and above) to retrieve a valid nonce. The nonce can then be leveraged to create a global unlock key, which allows adding arbitrary IP addresses to the plugin's allowlist, potentially bypassing login restrictions. This vulnerability only applies to new installations where the administrator has not visited the plugin's loginlockdown page, limiting the attack window.
Potential Impact
An attacker with Subscriber-level access can bypass intended authorization controls to modify the plugin's allowlist by adding arbitrary IP addresses. This could facilitate unauthorized access or bypass of login restrictions enforced by the plugin. The impact is limited to confidentiality and integrity with no availability impact. Exploitation requires authenticated access and is constrained to new installations before administrative interaction with the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, administrators should ensure that the loginlockdown page is accessed promptly after installation to close the exploitation window. Restrict Subscriber-level access where possible and monitor for suspicious activity related to plugin allowlist modifications.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-17T13:28:21.186Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981bc4522896dcbd9be3
Added to database: 5/21/2025, 9:08:43 AM
Last enriched: 4/9/2026, 10:15:41 AM
Last updated: 5/8/2026, 7:05:25 AM
Views: 69
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.