CVE-2023-1861
published 2023-05-02CVE-2023-1861: The Limit Login Attempts WordPress plugin through 1.7.2 does not sanitize and escape usernames when outputting them back in the logs dashboard, which could…
PriorityP335medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
28.80%
97.9th percentile
The Limit Login Attempts WordPress plugin through 1.7.2 does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| limit_login_attempts_project | limit_login_attempts | <= 1.7.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS WordPress Limit Login Attempts Plugin Stored Cross Site Scripting (CVE-2023-1861)
suricata·2025-01-17·CVSS 5.4
CVE-2023-1861 [MEDIUM] ET WEB_SPECIFIC_APPS WordPress Limit Login Attempts Plugin Stored Cross Site Scripting (CVE-2023-1861)
ET WEB_SPECIFIC_APPS WordPress Limit Login Attempts Plugin Stored Cross Site Scripting (CVE-2023-1861)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress Limit Login Attempts Plugin Stored Cross Site Scripting (CVE-2023-1861)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; pcre:"/^(?:admin|login)/R"; http.cookie; content:"wordpress_"; fast_pattern; content:"|3d|"; distance:0; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,wpscan.com/vulnerability/461cbcca-aed7-4c92-ba35-ebabf4fcd810/; reference:cve,2023-1861; classtype:web-application-attack; sid:2059302; rev:1; metadata:created_at 2025_01_17, cve
No public exploits indexed.
No writeups or analysis indexed.
2023-05-02
Published