The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
Conclusion & alert: CVE-2022-4539 is rated Low Risk (32.5/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.63%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 5.15% | 0.63% | -4.52% |
| 2 | 2025-11-21 | 5.66% | 5.15% | -0.51% |
| 3 | 2025-11-19 | — | 5.66% | — |
Full EPSS history (19 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| miniorange | web_application_firewall | < 2.1.3 | cpe:2.3:a:miniorange:web_application_firewall:*:*:*:*:*:wordpress:*:* |