Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-1029

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
4.8MEDIUM
EPSS
0.5%
top 36.14%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Limit Login AttemptsMiniorange Limit Login Attempts
Timeline
PublishedJun 27
Latest updateJun 28

Description

The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/limit_login_attempts4.0.724.0.72

🔴Vulnerability Details

2
GHSA
GHSA-5vgw-hh7v-325x: The Limit Login Attempts WordPress plugin before 42022-06-28
CVEList
Limit Login Attempts < 4.0.72 - Admin+ Stored Cross-Site Scripting2022-06-27

💥Exploits & PoCs

1
Nuclei
Limit Login Attempts - Stored Cross-Site Scripting
CVE-2022-1029 (MEDIUM CVSS 4.8) | The Limit Login Attempts WordPress | cvebase.io