Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in parswp Hide Login+ hide-login allows Reflected XSS.This issue affects Hide Login+: from n/a through <= 3.5.1.
Published: 2025-01-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hide Login+ plugin contains an improper neutralization of user input that allows an attacker to inject arbitrary JavaScript into pages that display user‑supplied query data. This flaw is a reflected cross‑site scripting vulnerability classified as CWE‑79 and is present in all releases of the plugin up to and including version 3.5.1.

Affected Systems

WordPress installations that have the Hide Login+ plugin version 3.5.1 or earlier deployed are affected. The issue does not distinguish between specific WordPress core versions, so any site running a vulnerable plugin instance is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate‑to‑high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not in CISA’s KEV catalog. Based on the description, the likely attack vector involves an attacker crafting a URL that contains malicious input and directing a user to that link. No privileged access or special tools are required for exploitation; the attack succeeds when a victim’s browser processes the crafted request.

Generated by OpenCVE AI on May 2, 2026 at 09:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hide Login+ plugin to a version newer than 3.5.1 to eliminate the XSS flaw.
  • If an upgrade is not immediately possible, disable or remove the plugin from the WordPress installation.
  • As a temporary protection, apply a site‑wide Content Security Policy that restricts script sources to trusted origins, reducing the impact of potential reflected input.

Generated by OpenCVE AI on May 2, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2740 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohammad Hossein Aghanabi Hide Login+ allows Reflected XSS. This issue affects Hide Login+: from n/a through 3.5.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohammad Hossein Aghanabi Hide Login+ allows Reflected XSS. This issue affects Hide Login+: from n/a through 3.5.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in parswp Hide Login+ hide-login allows Reflected XSS.This issue affects Hide Login+: from n/a through <= 3.5.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Fri, 31 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohammad Hossein Aghanabi Hide Login+ allows Reflected XSS. This issue affects Hide Login+: from n/a through 3.5.1.
Title WordPress Hide Login+ plugin <= 3.5.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:59.979Z

Reserved: 2025-01-03T13:16:41.392Z

Link: CVE-2025-22341

cve-icon Vulnrichment

Updated: 2025-01-31T19:28:53.724Z

cve-icon NVD

Status : Deferred

Published: 2025-01-31T09:15:07.470

Modified: 2026-06-17T08:46:36.930

Link: CVE-2025-22341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:30:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')