CVE-2017-15867

Name of the Vulnerable Software and Affected Versions user-login-history plugin for WordPress versions through 1.5.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters to the "admin/partials/listing/listing.php" endpoint, including date from, date to, user id, username, country name, browser, operating system, or ip address.

Recommendations For user-login-history plugin for WordPress versions through 1.5.2, consider disabling access to the "admin/partials/listing/listing.php" endpoint until a patch is available. Restrict the use of the vulnerable parameters date from, date to, user id, username, country name, browser, operating system, and ip address to minimize the risk of exploitation.