I just got a message from my client. The were contacted from another company who had their site hacked. They had used sucuri to identify that loads of html files had been loaded into a scripts folder within the limit-login-attempts plugin folder. The infection got in through an inserted line in limit-login-attempts.php.
The html files in the new scripts folder were all retail things for Christian Louboutin shoes and similar things. There were about 50 files.
I went to check the site and the login page had been blocked due to to many attempts - I hadn't attempted any log in on that site for a few weeks.
Is there a security flaw on this plugin now? I have deleted it and all the files in the meantime.
Has anyone else come across this?