Limit Login Attempts Reloaded < 2.16.0 – Authenticated Reflected Cross-Site Scripting | CVE 2020-35589

Description

The plugin does not properly sanitise user input in its options page, which could allow attackers to perform XSS attacks against logged in administrator by making them open a malicious URL

The issue was partially fixed in 2.15.1, and fully remediated in 2.16.0

Proof of Concept

https://example.com/wp-admin/options-general.php?page=limit-login-attempts&tab=d7raf%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Affects Plugins

limit-login-attempts-reloaded

Fixed in 2.16.0

References

CVE

CVE-2020-35589

URL

https://n4nj0.github.io/advisories/wordpress-plugin-limit-login-attempts-reloaded/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

8.4 (high)

Miscellaneous

Original Researcher

n4nj0

Verified

Yes

WPVDB ID

6d30da09-df37-49be-bb46-0e0fec90850f

Timeline

Publicly Published

2020-12-14 (about 5 years ago)

Added

2020-12-21 (about 5 years ago)

Last Updated

2020-12-22 (about 5 years ago)

Other

Published

Title

Published

2020-07-13

Title

Findus - Directory Listing < 1.1.15 - Authenticated Persistent XSS

Published

2024-10-31

Title

AMP Img Shortcode <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-11-21

Title

Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting

Published

2023-04-21

Title

Dave's WordPress Live Search <= 4.8.1 - Admin+ Stored XSS

Published

2025-01-16

Title

Sandbox <= 0.4 - Reflected Cross-Site Scripting