CVE-2024-1340

MEDIUM 5.4

Login Lockdown – Protect Login Form <= 2.08 - Missing Authorization

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

The Login Lockdown – Protect Login Form plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the generate_export_file function in all versions up to, and including, 2.08. This makes it possible for authenticated attackers, with subscriber access and higher, to export this plugin's settings that include whitelisted IP addresses as well as a global unlock key. With the global unlock key an attacker can add their IP address to the whitelist.

CWE	CWE-862
Vendor	webfactory
Product	login lockdown & protection
Published	Feb 20, 2024
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for webfactory login lockdown & protection

Be the first to know when new medium vulnerabilities affecting webfactory login lockdown & protection are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

webfactory / Login Lockdown & Protection

0 ≤ 2.08

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/34021007-b5d3-479b-a0d4-50e301f22c9c?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/login-lockdown/trunk/libs/functions.php#L492 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3033542%40login-lockdown%2Ftrunk&old=3027788%40login-lockdown%2Ftrunk&sfp_email=&sfph_mail=

Credits

Lucio Sá