CVE-2025-11707
Login Lockdown & Protection <= 2.14 - IP Block Bypass
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The Login Lockdown & Protection plugin for WordPress is vulnerable to IP Block Bypass in all versions up to, and including, 2.14. This is due to $unblock_key key being insufficiently random allowing unauthenticated users, with access to an administrative user email, to generate valid unblock keys for their IP Address. This makes it possible for unauthenticated attackers to bypass blocks due to invalid login attempts.
| CWE | CWE-330 |
| Vendor | webfactory |
| Product | login lockdown & protection |
| Published | Dec 13, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for webfactory login lockdown & protection
Be the first to know when new medium vulnerabilities affecting webfactory login lockdown & protection are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
webfactory / Login Lockdown & Protection
0 โค 2.14
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/9c732ea2-0263-4b18-9aa4-29e387b26362?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/login-lockdown/trunk/libs/functions.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389843%40login-lockdown&new=3389843%40login-lockdown&sfp_email=&sfph_mail=
Credits
William Cooke