vulnerability
WordPress Plugin: change-wp-admin-login: CVE-2025-58595: Protection Mechanism Failure
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Oct 9, 2025 | Oct 16, 2025 | Apr 29, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Oct 9, 2025
Added
Oct 16, 2025
Modified
Apr 29, 2026
Description
The All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. plugin for WordPress is vulnerable to IP Address Spoofing in version 2.0.8 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass login protection.
Solution
change-wp-admin-login-plugin-cve-2025-58595
References
- https://www.cve.org/CVERecord?id=CVE-2025-58595
- https://www.wordfence.com/threat-intel/vulnerabilities/id/42dacd44-f676-4d2d-ad7d-9dc5b4af6d8a?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-38144
- CVE-2025-58595
- https://attackerkb.com/topics/CVE-2025-58595
- CWE-290
- EUVD-EUVD-2025-38144
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.