via wptavern.com => original post link
Wordfence has published a security advisory about a severe unauthenticated stored Cross-Site Scripting vulnerability in the Limit Login Attempts plugin, which is active on more than 600,000 WordPress sites.
The security issue was discovered by Wordfence security researcher Marco Wotschka in January 2023. It was submitted to the WordPress Plugin Security Team, which acknowledged receipt of the report nearly two months later on March 24, 2023.
“This can be leveraged by unauthenticated attackers to facilitate a site takeover by injecting malicious JavaScript into the database of an affected site that may execute when a site administrator accesses the logging page,” Wotschka said.