The vulnerability identified as CVE-2025-3766 affects the Login Lockdown & Protection WordPress plugin developed by webfactory, specifically versions up to 2.11. The root cause is a missing capability check in the ajax_run_tool function, which is responsible for handling AJAX requests related to the plugin's lockdown features. This missing authorization allows any authenticated user with at least Subscriber-level privileges to request and obtain a valid nonce. Normally, nonces are used to protect against CSRF attacks and ensure that actions are performed by authorized users. However, in this case, the nonce can be exploited to generate a global unlock key. This key can then be used to add arbitrary IP addresses to the plugin's allowlist, effectively bypassing the IP-based login restrictions that the plugin enforces. The vulnerability is exploitable only on new installations where the site administrator has not yet visited the loginlockdown page, which presumably initializes or restricts access controls. Because Subscriber-level users are typically low-privileged, this vulnerability escalates their ability to circumvent security controls without requiring administrator credentials. The attack vector is remote over the network, with low complexity and no user interaction needed beyond authentication. The vulnerability impacts confidentiality and integrity by allowing unauthorized access control modifications but does not affect availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating network attack vector, low complexity, low privileges required, no user interaction, unchanged scope, low confidentiality and integrity impact, and no availability impact.

This vulnerability allows low-privileged authenticated users to bypass IP-based login restrictions by adding arbitrary IP addresses to the allowlist. This can facilitate unauthorized access attempts, including brute force attacks from whitelisted IPs, potentially leading to credential compromise or unauthorized account access. Organizations relying on the Login Lockdown & Protection plugin to secure login endpoints may have a false sense of security, as the IP allowlist can be manipulated without administrator consent. The risk is particularly significant for sites with multiple low-privileged users or where Subscriber roles are assigned broadly. Although the vulnerability does not directly compromise availability, the integrity and confidentiality of the authentication process are undermined. Attackers could leverage this to escalate attacks or maintain persistent access. Since exploitation requires authenticated access, the threat is mitigated somewhat by existing access controls, but the ease of exploitation and the potential for privilege escalation make it a notable risk. The lack of known exploits in the wild reduces immediate urgency but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is widely known.

Administrators should immediately restrict Subscriber-level user capabilities to the minimum necessary and audit user roles to ensure no unnecessary accounts have access. It is critical to monitor and restrict access to the loginlockdown page, ensuring administrators visit this page promptly after installation to initialize proper controls. Until an official patch is released, consider disabling or uninstalling the Login Lockdown & Protection plugin on new installations or sites with multiple low-privileged users. Implement additional monitoring on IP allowlist changes and audit logs for suspicious activity. Employ network-level controls such as firewall rules and VPNs to limit login attempts from untrusted IP addresses. Consider using alternative plugins or security solutions with verified authorization checks. Stay updated with vendor advisories and apply patches immediately once available. For environments with high security requirements, consider implementing multi-factor authentication to reduce the risk of unauthorized access even if IP restrictions are bypassed.