Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohsin Khan WP Front-end login and register wp-front-end-login-and-register allows Reflected XSS.This issue affects WP Front-end login and register: from n/a through <= 2.1.0.
Published: 2025-01-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can craft a URL that contains malicious JavaScript. When a victim visits that URL, the plugin does not properly neutralize the input and reflects it back in the generated page. The injected script runs in the victim’s browser, enabling actions such as cookie theft, session hijacking, defacement, or redirect to phishing sites. The flaw does not result in server‑side code execution or data disclosure but can compromise the confidentiality, integrity, and availability of user sessions when the victim interacts with the vulnerable page.

Affected Systems

The vulnerability exists in the WP Front‑end login and register plugin developed by Mohsin Khan. Every installation of the plugin with a version number up to and including 2.1.0 is affected. The plugin is a WordPress add‑on that allows users to register and log in from the front end of a site.

Risk and Exploitability

The CVSS score of 7.1 places the flaw in the high severity range. The EPSS score of less than 1 percent indicates a very low probability of current exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can execute the exploit by delivering a specially crafted URL to a target user, which generally requires user interaction (clicking the link). No authentication is required on the target site for the reflected XSS payload to run.

Generated by OpenCVE AI on May 1, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Front‑end login and register plugin to a version newer than 2.1.0, which includes proper input sanitization.
  • If an upgrade cannot be performed immediately, disable or remove the plugin from the WordPress installation to eliminate the attack surface.
  • Apply a Web Application Firewall rule to detect and block Reflected XSS attempts targeting the plugin’s request parameters, and keep the core WordPress platform and all other plugins up to date.

Generated by OpenCVE AI on May 1, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3238 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohsin khan WP Front-end login and register allows Reflected XSS. This issue affects WP Front-end login and register: from n/a through 2.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohsin khan WP Front-end login and register allows Reflected XSS. This issue affects WP Front-end login and register: from n/a through 2.1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohsin Khan WP Front-end login and register wp-front-end-login-and-register allows Reflected XSS.This issue affects WP Front-end login and register: from n/a through <= 2.1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 13 Feb 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohsin khan WP Front-end login and register allows Reflected XSS. This issue affects WP Front-end login and register: from n/a through 2.1.0.
Title WordPress WP Front-end login and register plugin <= 2.1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:12.610Z

Reserved: 2025-01-16T11:25:56.885Z

Link: CVE-2025-23540

cve-icon Vulnrichment

Updated: 2025-02-12T20:35:23.654Z

cve-icon NVD

Status : Deferred

Published: 2025-01-23T16:15:37.577

Modified: 2026-06-17T08:55:12.690

Link: CVE-2025-23540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:30:23Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')