PT-2023-17291 · WordPress · Limit Login Attempts
Marc Montpas
·
Published
2023-05-02
·
Updated
2023-05-08
·
CVE-2023-1861
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Limit Login Attempts WordPress plugin versions 1.7.2 and earlier
Description
The issue concerns the Limit Login Attempts WordPress plugin, where it fails to sanitize and escape usernames when outputting them back in the logs dashboard. This could allow any authenticated users, such as subscribers, to perform Stored Cross-Site Scripting attacks.
Recommendations
For Limit Login Attempts WordPress plugin versions 1.7.2 and earlier, update to a version later than 1.7.2 to resolve the issue. As a temporary workaround, consider restricting access to the logs dashboard to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Limit Login Attempts