Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-1029

The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)

Published

2022-06-27T09:15:08.760

Last Modified

2024-11-21T06:39:53.373

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	miniorange	limit_login_attempts	< 4.0.72	Yes

References

https://wpscan.com/vulnerability/0e74eeb4-89e2-4873-904f-ad4f25c4a8ba Exploit, Third Party Advisory ([email protected])
https://wpscan.com/vulnerability/0e74eeb4-89e2-4873-904f-ad4f25c4a8ba Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)