CVE-2022-1601: 
WordPress vulnerability analysis and mitigation

The User Access Manager WordPress plugin before version 2.2.18 contains a security vulnerability identified as CVE-2022-1601. The vulnerability was discovered by Daniel Ruf and publicly disclosed on August 4, 2023. The issue affects the plugin's IP address handling mechanism, where it incorrectly prioritizes visitor IP addresses from HTTP headers over PHP's REMOTE_ADDR (WPScan Advisory).

The vulnerability stems from the plugin's implementation of IP address validation, specifically in the checkUserGroupAccess() function. The plugin incorrectly prioritizes the HTTPXREALIP header over PHP's native REMOTEADDR variable for determining a visitor's IP address. This implementation flaw has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows attackers to potentially bypass IP-based access restrictions and gain unauthorized access to restricted content. By manipulating HTTP headers, specifically the HTTPXREAL_IP header, an attacker can spoof their IP address to match one from the allowlist, potentially circumventing the plugin's access controls (WPScan Advisory).

Users should upgrade to User Access Manager version 2.2.18 or later, which contains the fix for this vulnerability (WPScan Advisory).