Limit Login Attempts < 4.0.72 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)

PoC

Put the following payload in the “Advanced Blocking” tab > “Block HTTP Referer’s” section > “Add Referer” field: ">