- Allows banning IP addresses, but it trusts the
X-Forwarded-Forheader – many WordPress sites (especially those running without reverse-proxies) may not be configured to reject user-supplied
X-Forwarded-Forheaders, so the IP ban can be easily bypassed.
- No other issues found
Reason for the 'Potentially unsafe' result
The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:
- Users not authorised to see content (due to the IP blacklist) can easily see content, except in certain configurations. An advisory for this vulnerability is published here: https://advisories.dxw.com/advisories/vulnerability-in-wp-ban-allows-visitors-to-bypass-the-ip-blacklist-in-some-configurations/
- If the plugin is used on a site behind a reverse proxy which sets the
X-Forwarded-Forheader, then the IP ban cannot be so easily bypassed.
- If a reverse proxy is not used, but the web server is configured to strip the
X-Forwarded-Forheader before it reaches WordPress, then the IP ban cannot be so easily bypassed.
- If the header is being set or stripped then there were no other issues identified which indicate this plugin is in any way unsafe.