WPS Limit Login is edited by WP Serveur, WordPress french host. Criticity level for this update is high.
Issue : Validation patterns (all) are a good idea and good UX, but are not enogh to protect that PHP will get the correct values related to their pattern. It’s possible to send anything else, the PHP side will treat the data like it’s a good one.
Demo : Let’s add the following title “
../../wp-config.php%00“, this could create a “wp-config.php” file at the root of your website. The
%00 (null byte) and the following will be ignored.
This vulnerability has been patched in v1.2