VYPR

Login Attempts Limit Wp

by WordPress

CVEs (6)

  • CVE-2022-4303HigJan 23, 2023
    risk 0.49cvss 7.5epss 0.01

    The WP Limit Login Attempts WordPress plugin through 2.6.4 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based restrictions on login forms.

  • CVE-2022-4532MedAug 17, 2024
    risk 0.42cvss 6.5epss 0.00

    The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions.…

  • CVE-2023-1861MedMay 2, 2023
    risk 0.37cvss 5.4epss 0.29

    The Limit Login Attempts WordPress plugin through 1.7.2 does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks

  • CVE-2022-1029MedJun 27, 2022
    risk 0.31cvss 4.8epss 0.01

    The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for…

  • CVE-2023-5525MedNov 27, 2023
    risk 0.28cvss 4.3epss 0.00

    The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

  • CVE-2015-6829Sep 16, 2015
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in the getip function in wp-limit-login-attempts.php in the WP Limit Login Attempts plugin before 2.0.1 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) X-Forwarded-For or (2) Client-IP HTTP header.