Vulnerabilities and security researches forwp-limit-failed-login-attempts wp-limit-failed-login-attempts

Jun 07, 2024

CVE, Research URL: CVE-2022-0787
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: Mar 28, 2022
Research Description: The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections
Affected versions: max 3.1.
Status: vulnerable

CVE, Research URL: CVE-2021-24191
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: May 14, 2021
Research Description: Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Affected versions: max 2.9.
Status: vulnerable

CVE, Research URL: CVE-2021-24193
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: May 14, 2021
Research Description: Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Affected versions: max 2.9.
Status: vulnerable

CVE, Research URL: CVE-2021-24192
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: May 14, 2021
Research Description: Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Affected versions: max 2.9.
Status: vulnerable

CVE, Research URL: CVE-2021-24195
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: May 14, 2021
Research Description: Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login as User or Customer (User Switching) WordPress plugin before 1.8, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Affected versions: max 2.9.
Status: vulnerable

CVE, Research URL: CVE-2021-24194
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: May 14, 2021
Research Description: Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login Protection - Limit Failed Login Attempts WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Affected versions: max 2.9.
Status: vulnerable

CVE, Research URL: CVE-2021-24189
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: May 14, 2021
Research Description: Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Captchinoo, Google recaptcha for admin login page WordPress plugin before 2.4, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Affected versions: max 2.9.
Status: vulnerable

CVE, Research URL: CVE-2021-24190
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: May 14, 2021
Research Description: Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WooCommerce Conditional Marketing Mailer WordPress plugin before 1.5.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Affected versions: max 2.9.
Status: vulnerable

CVE, Research URL: CVE-2021-24188
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: May 14, 2021
Research Description: Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Content Copy Protection & No Right Click WordPress plugin before 3.1.5, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
Affected versions: max 2.9.
Status: vulnerable

Oct 09, 2024

CVE, Research URL: CVE-2022-4534
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: Oct 08, 2024
Research Description: The Limit Login Attempts (Spam Protection) plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.3. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
Affected versions: max 5.4.
Status: vulnerable

Dec 15, 2024

CVE, Research URL: CVE-2024-54234
Home page URL: Security reports for Limit Login Attempts (Spam Protection)
Application: Limit Login Attempts (Spam Protection)
Date: Dec 13, 2024
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wp-buy Limit Login Attempts allows SQL Injection.This issue affects Limit Login Attempts: from n/a through 5.5.
Affected versions: max 5.6.
Status: vulnerable