Plugin inspection:

WP-Ban

Potentially unsafe

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

This recommendation applies to version 1.62 of this plugin, but the most recent version is 1.69. These findings may no longer be correct.

Findings

  • Allows banning IP addresses, but it trusts the X-Forwarded-For header – many WordPress sites (especially those running without reverse-proxies) may not be configured to reject user-supplied X-Forwarded-For headers, so the IP ban can be easily bypassed.
  • No other issues found

Reason for the 'Potentially unsafe' result

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

  • Users not authorised to see content (due to the IP blacklist) can easily see content, except in certain configurations. An advisory for this vulnerability is published here: https://advisories.dxw.com/advisories/vulnerability-in-wp-ban-allows-visitors-to-bypass-the-ip-blacklist-in-some-configurations/
  • If the plugin is used on a site behind a reverse proxy which sets the X-Forwarded-For header, then the IP ban cannot be so easily bypassed.
  • If a reverse proxy is not used, but the web server is configured to strip the X-Forwarded-For header before it reaches WordPress, then the IP ban cannot be so easily bypassed.
  • If the header is being set or stripped then there were no other issues identified which indicate this plugin is in any way unsafe.

Failure criteria

  • Unsafe request processing

Read more about our failure criteria.