Limit Login Attempts Reloaded < 2.16.0 - Authenticated Reflected Cross-Site Scripting

The plugin does not properly sanitise user input in its options page, which could allow attackers to perform XSS attacks against logged in administrator by making them open a malicious URL The issue was partially fixed in 2.15.1, and fully remediated in 2.16.0

PoC

https://example.com/wp-admin/options-general.php?page=limit-login-attempts&amp;tab;=d7raf"><script>alert(1)</script>