CVE-2022-1029 Scanner
CVE-2022-1029 Scanner - Cross-Site Scripting (XSS) vulnerability in Limit Login Attempts WordPress Plugin
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
19 days 1 hour
Scan only one
Domain, Subdomain, IPv4
Toolbox
Limit Login Attempts is a popular WordPress plugin used by site administrators to manage and limit the number of login attempts made on their WordPress sites. This helps in protecting sites from brute-force attacks and unauthorized access. The plugin is commonly used due to its effectiveness in securing WordPress logins. It is suitable for blogs, corporate sites, and e-commerce platforms built on WordPress. Site administrators deploy it to ensure login security and reduce the risk of unauthorized access. The plugin integrates seamlessly with WordPress, providing an additional layer of security without complicated setup.
The detected vulnerability is a stored Cross-Site Scripting (XSS) vulnerability. This occurs when an attacker successfully injects malicious scripts into a web application, which are stored and then executed in the browsers of users who visit the affected site. In this case, the vulnerability allows administrators with malicious intent to inject JavaScript code into the plugin settings. If exploited, this can lead to session hijacking or cookie theft, exposing sensitive user information.
The vulnerability exists in the settings page of the Limit Login Attempts WordPress plugin. Unsanitized and unescaped settings inputs allow for the injection of scripts. Particularly, the "referrer_1" parameter is vulnerable as it does not properly escape input values, enabling the execution of injected JavaScript when the settings page is accessed by any user. This opens the risk of stored XSS where malicious code persists across sessions and users.
Exploitation of this vulnerability allows attackers to execute arbitrary JavaScript in the context of the vulnerable site, potentially stealing cookies, session tokens, or performing actions on behalf of users. This can compromise user accounts and data integrity, resulting in unauthorized actions being performed. The impact is significant for site integrity, user confidence, and data security.
REFERENCES
