I. VULNERABILITY ------------------------- Data Manipulation with X-Forwarded-For header at WordPress II. CVE REFERENCE ------------------------- CVE-2020-35539 III. VENDOR ------------------------- https://wordpress.org IV. TIMELINE ------------------------- 20/12/2020 Vulnerability discovered 21/12/2020 Vendor contacted 09/03/2021 CVE Assigned V. CREDIT ------------------------- Alphan Yavas VI. DESCRIPTION ------------------------- "X-Forwarded-For" is a HTTP header used to carry the client's original IP address. However, because these headers may very well be added by the client to the requests, if the systems/devices use IP addresses which decelerate at X-Forwarded-For header instead of original IP, various issues may be faced. If the data originating from these fields is trusted by the application developers and processed, any authorization checks originating IP address logging could be manipulated. VII. PROOF OF CONCEPT ------------------------- Affected Component: Wordpress core Affected version Wordpress 5.1 -Add X-Forwarded-For header to the /wp-admin -You will get an error about your IP -Next go /wp-admin/admin-ajax.php and add X-Forwarded-For header again