CVE-2023-4549: 
WordPress vulnerability analysis and mitigation

The DoLogin Security WordPress plugin before version 3.7 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-4549. The vulnerability was discovered by Bartlomiej Marek and Tomasz Swiadek and was publicly disclosed on August 28, 2023. The issue stems from improper sanitization of IP addresses coming from the X-Forwarded-For header in the WordPress login form (WPScan).

The vulnerability is caused by insufficient sanitization of IP addresses received from the X-Forwarded-For header, which can be exploited to conduct Stored XSS attacks through WordPress's login form. The CVSS score for this vulnerability is rated at 6.1 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it can be exploited remotely without authentication but requires user interaction (NVD).

When successfully exploited, this vulnerability allows attackers to store and execute malicious JavaScript code in the context of other users' browsers. This can lead to the theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (WPScan).

The vulnerability has been fixed in version 3.7 of the DoLogin Security plugin. Users are strongly advised to update to this version or later to protect against potential attacks (WPScan).