CVE-2021-24657

Name of the Vulnerable Software and Affected Versions Limit Login Attempts WordPress plugin versions prior to 4.0.50

Description The issue arises from the plugin not escaping IP addresses of attempted logins before outputting them in the reports table. This can be exploited by an attacker controlling the IP address via headers such as X-Forwarded-For, leading to an Unauthenticated Stored Cross-Site Scripting issue.

Recommendations For versions prior to 4.0.50, update to version 4.0.50 or later to resolve the issue. As a temporary workaround, consider restricting access to the reports table to minimize the risk of exploitation. Avoid using the X-Forwarded-For header in the affected plugin until the issue is resolved.