The vulnerability resides in the External Login WordPress plugin, allowing an attacker who is authenticated with subscriber-level or higher privileges to misuse an AJAX endpoint that lacks proper capability checks or nonce validation. Exploiting the 'exlog_test_connection' action grants access to diagnostic test results, from which truncated usernames, email addresses, and password hashes of the configured external database can be retrieved. This constitutes a moderate confidentiality compromise, exposing user credentials and personal information to an attacker who can already log into the site.

WordPress sites that have the External Login plugin installed in versions 1.11.2 or earlier are impacted. The issue is documented for all releases up to and including 1.11.2; newer releases have removed the insecure AJAX action or added appropriate checks. Site owners should verify the plugin version and update to the latest available release.

The CVSS score of 4.3 places this vulnerability in the medium severity range. The EPSS score of less than 1% indicates that the probability of exploitation is low according to current data, and the vulnerability is not listed in the CISA KEV catalog. An attacker still requires authenticated access, but subscribers can gain the necessary privileges. Once accessed, the exposed data can be used for credential stuffing, phishing, or account takeover. The attack path relies on an authenticated AJAX call to the 'exlog_test_connection' action, which lacks capability checks or nonce validation, allowing a subscriber to retrieve diagnostic test results that include truncated usernames, email addresses, and password hashes. This can be performed from any network that can reach the site’s public interface.