CVE-2021-24657

Limit Login Attempts < 4.0.50 - Unauthenticated Stored Cross-Site Scripting

EPSS 1.6%CWE-79

Vexday Risk Score

18Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 1.6%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

20 Sep 2021Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue.

Affected products

Unknown · Limit Login Attempts

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/c789ca04-d88c-4789-8be1-812888f0c8f8