Bypass account protection

[gozan10]

Hi team,

I found a way to bypass account protection (not blocked when brute-force account).

Step: *this is demo some cases

1. If I log in wrongly too many times, it will be locked
   

2. But i can pass it by insert X-Forwarded-For header, then brute-force without being locked (use intruder plugin of burp suite)
   

3. set payload to brute-force and start attack
   
   

4. Result find user (bypass account protection without blocked)
   

[instantflorian]

fixed in https://github.com/WBCE/WBCE_CMS/releases/tag/1.5.4. Thanks for reporting.