Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24657

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

1.3%

top 20.16%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Unknown Limit Login Attempts Limit Login Attempts Project Limit Login Attempts

Timeline

PublishedSep 20

Latest updateMay 24

Description

The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/limit_login_attempts4.0.50 — 4.0.50

▶NVDlimit_login_attempts_project/limit_login_attempts< 4.0.50

🔴Vulnerability Details

GHSA

GHSA-68r9-qhv3-7fgg: The Limit Login Attempts WordPress plugin before 4↗2022-05-24

▶

CVEList

Limit Login Attempts < 4.0.50 - Unauthenticated Stored Cross-Site Scripting↗2021-09-20

▶

💥Exploits & PoCs

Nuclei

Limit Login Attempts WordPress - Stored Cross-site Scripting

▶