Wordfence Discovers Severe Security Vulnerability in Limit Login Attempts Plugin
Wordfence, a leading cybersecurity company, has recently published a security advisory regarding a severe unauthenticated stored Cross-Site Scripting vulnerability in the Limit Login Attempts plugin. This plugin is currently active on over 600,000 WordPress sites, making it a significant threat to website security.
The security issue was discovered by Wordfence security researcher Marco Wotschka in January 2023. After the discovery, the vulnerability was submitted to the WordPress Plugin Security Team. However, it took nearly two months for the team to acknowledge receipt of the report, which was done on March 24, 2023.
According to Wotschka, this vulnerability can be exploited by unauthenticated attackers to facilitate a site takeover by injecting malicious JavaScript into the database of an affected site. This malicious code may execute when a site administrator accesses the logging page, giving the attacker full control over the website.
Fortunately, version 1.7.2 of the Limit Login Attempts plugin patches the vulnerability. This version was released on April 4 and includes a note in the changelog that simply says “Security fixes.” However, users who are still using version 1.7.1 or previous versions are still vulnerable to this exploit.
It is worth noting that in August 2021, the Limit Login Attempts plugin had more than 900,000 active users. However, it seems to be dying a slow death and is no longer maintained as it hasn’t been updated in years. This makes it even more important for users to update to version 1.7.2 immediately to protect their websites from this vulnerability.
Wordfence has provided more details in the advisory on how the plugin might be exploited and advises users to update immediately. As always, it is crucial to keep all plugins and software up-to-date to ensure website security and prevent potential attacks.
