#Monstra <= 3.0.1 Admin Bruteforce Limit Bypass

admin/index.php

:33-42

// Admin login
if (Request::post('login_submit')) {

    if (Cookie::get('login_attempts') && Cookie::get('login_attempts') >= 5) {

        $login_error = __('You are banned for 10 minutes. Try again
later', 'users');

    } else {

        $user = $users->select("[login='" .
trim(Request::post('login')) . "']", null);
}

The code blocks bruteforce attempts simply by placing a cookie called "login_attempts" in the victims browser an attacker can craft a bruteforce script that either clears cookies or does not send cookies at all.