CVE-2023-6934: 
WordPress vulnerability analysis and mitigation

The Limit Login Attempts Reloaded WordPress plugin (versions up to 2.25.26) was identified with a Stored Cross-Site Scripting vulnerability, tracked as CVE-2023-6934. The vulnerability was discovered by researcher Hung -mov Nguyen and publicly disclosed on December 20, 2023. This security issue affects the plugin's shortcode functionality and impacts WordPress installations using the vulnerable versions (WPScan, Wordfence Advisory).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode implementation. It has been assigned a CVSS v3.1 base score of 6.4 (Medium) by Wordfence and 5.4 (Medium) by NIST. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever users access the compromised pages, potentially leading to unauthorized actions and data theft (Wordfence Advisory).

The vulnerability has been patched in version 2.25.27 of the Limit Login Attempts Reloaded plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).