CVE-2023-1861

CWE-79 ā€” Cross-site Scripting (XSS)4 documents4 sources
Severity
5.4MEDIUM
EPSS
0.1%
top 64.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Limit Login AttemptsLimit Login Attempts Project Limit Login Attempts
Timeline
PublishedMay 2
Latest updateJan 17

Description

The Limit Login Attempts WordPress plugin through 1.7.2 does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

ā–¶CVEListV5unknown/limit_login_attempts1.7.2

šŸ”“Vulnerability Details

2
CVEList
Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSSā†—2023-05-02
ā–¶
GHSA
GHSA-rvp8-3787-qggj: The Limit Login Attempts WordPress plugin through 1ā†—2023-05-02
ā–¶

šŸ”Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS WordPress Limit Login Attempts Plugin Stored Cross Site Scripting (CVE-2023-1861)ā†—2025-01-17
ā–¶
CVE-2023-1861 (MEDIUM CVSS 5.4) | The Limit Login Attempts WordPress | cvebase.io