The plugin does not properly sanitise user input in its options page, which could allow attackers to perform XSS attacks against logged in administrator by making them open a malicious URL The issue was partially fixed in 2.15.1, and fully remediated in 2.16.0
https://example.com/wp-admin/options-general.php?page=limit-login-attempts&tab=d7raf%22%3E%3Cscript%3Ealert(1)%3C/script%3E