Wordfence has published a security advisory about a severe unauthenticated stored Cross-Site Scripting vulnerability in the Limit Login Attempts plugin, which is active on more than 600,000 WordPress sites.

The security issue was discovered by Wordfence security researcher Marco Wotschka in January 2023. It was submitted to the WordPress Plugin Security Team, which acknowledged receipt of the report nearly two months later on March 24, 2023.

“This can be leveraged by unauthenticated attackers to facilitate a site takeover by injecting malicious JavaScript into the database of an affected site that may execute when a site administrator accesses the logging page,” Wotschka said.

Version 1.7.2 of the plugin patches the vulnerability. It was released on April 4 with a note in the changelog that simply says “Security fixes.” Version 1.7.1 and previous versions remain vulnerable.

In August 2021, the plugin had more than 900,000 active users, and more than 2 million in 2018, but seems to be dying a slow death and is no longer maintained, as it hasn’t been updated in years.

Wordfence has more details in the advisory on how the plugin might be exploited and advises users update immediately.