Wordfence has published a security advisory about a severe unauthenticated stored Cross-Site Scripting vulnerability in the Limit Login Attempts plugin, which is active on more than 600,000 WordPress sites.
The security issue was discovered by Wordfence security researcher Marco Wotschka in January 2023. It was submitted to the WordPress Plugin Security Team, which acknowledged receipt of the report nearly two months later on March 24, 2023.
“This can be leveraged by unauthenticated attackers to facilitate a site takeover by injecting malicious JavaScript into the database of an affected site that may execute when a site administrator accesses the logging page,” Wotschka said.
Version 1.7.2 of the plugin patches the vulnerability. It was released on April 4 with a note in the changelog that simply says “Security fixes.” Version 1.7.1 and previous versions remain vulnerable.
In August 2021, the plugin had more than 900,000 active users, and more than 2 million in 2018, but seems to be dying a slow death and is no longer maintained, as it hasn’t been updated in years.
Wordfence has more details in the advisory on how the plugin might be exploited and advises users update immediately.
Calling this a severe vulnerability is quite an overstatement, which unfortunately isn’t uncommon coming from Wordfence. We publicly warned about this vulnerability in March 2018. If it was a severe issue, it would have been widely exploited by now and Wordfence would have already known about it, but that wasn’t the case.