CVE-2025-3766 is a medium-severity vulnerability affecting the Login Lockdown & Protection plugin for WordPress, developed by webfactory. The vulnerability arises from a missing authorization check (CWE-862) in the ajax_run_tool function, which is accessible via AJAX requests. Specifically, the plugin fails to verify user capabilities before granting access to a nonce—a security token used to validate legitimate requests. Authenticated users with Subscriber-level access or higher can exploit this flaw to obtain a valid nonce. This nonce can then be used to generate a global unlock key, allowing the attacker to add arbitrary IP addresses to the plugin's allowlist. This effectively bypasses the plugin's login lockdown protections, potentially enabling unauthorized login attempts from whitelisted IPs. However, exploitation is limited to new installations where the site administrator has not yet visited the loginlockdown configuration page, as this action appears to initialize or lock down the relevant security controls. The vulnerability affects all versions up to and including 2.11 of the plugin. The CVSS 3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, privileges required (low-level authenticated user), no user interaction, and limited impact on confidentiality and integrity but no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is significant because it allows low-privileged users to escalate their influence over security controls, undermining the plugin’s purpose of protecting WordPress login endpoints from brute force or unauthorized access attempts.

For European organizations using WordPress with the Login Lockdown & Protection plugin, this vulnerability poses a risk of unauthorized access bypass. Attackers with minimal privileges (Subscriber or above) could manipulate the plugin to whitelist their IP addresses, circumventing login restrictions and potentially enabling brute force or credential stuffing attacks from trusted IPs. This could lead to unauthorized account access, data breaches, and further lateral movement within the affected websites. Since WordPress powers a significant portion of European websites, including many small and medium enterprises, NGOs, and public sector sites, the risk is non-trivial. The limitation to new installations where the admin has not yet configured the plugin reduces the immediate risk but also highlights a window of vulnerability during initial setup. Attackers targeting newly deployed sites or staging environments could exploit this to establish persistence or footholds. The impact on confidentiality and integrity is moderate, as unauthorized access could expose sensitive user data or allow content manipulation. Availability is not directly impacted. Given the widespread use of WordPress in Europe and the common deployment of security plugins, this vulnerability could be leveraged in targeted attacks against organizations with less mature security practices or delayed plugin configuration.

European organizations should immediately audit their WordPress installations to identify the presence of the Login Lockdown & Protection plugin, especially versions up to 2.11. For new installations, administrators should promptly visit and configure the loginlockdown page to initialize proper security controls, thereby closing the exploitation window. Until an official patch is released, organizations can mitigate risk by restricting Subscriber-level user capabilities or temporarily disabling the plugin on new sites. Implementing strict role-based access controls to limit who can authenticate as Subscribers or higher reduces the attack surface. Monitoring web server logs for unusual IP allowlist modifications or suspicious AJAX requests to the plugin endpoints can help detect exploitation attempts. Additionally, organizations should consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized AJAX calls targeting the ajax_run_tool function. Regularly updating WordPress and plugins once patches are available is critical. Finally, educating site administrators about the importance of initial plugin configuration and secure user role assignments will reduce exposure.