The all-in-one-box-login plugin fails to neutralize user input that is inserted into generated web pages, allowing attackers to inject and execute arbitrary scripts in a victim’s browser. This reflected cross‑site scripting can enable session hijacking, credential theft, or malicious content injection, directly compromising the confidentiality, integrity, and authenticity of the site and its users. The flaw arises from insufficient input filtering, a classic example of CWE‑79 weakness.

The vulnerability afflicts Ashek Al Mahmud's all‑in‑one‑box‑login WordPress plugin for all releases up to and including version 2.0.1. No later versions are known to be affected; the issue is only present in the <= 2.0.1 line of the plugin's development history.

The CVSS score of 7.1 places this issue in the medium‑to‑high severity range, indicating significant potential impact if exploited. The EPSS score is listed as < 1%, implying that, as of the last assessment, the probability of real‑world exploitation is very low but not negligible. The vulnerability is not included in the CISA KEV catalog, suggesting no widespread exploitation has been reported yet. The most likely attack vector is a reflected XSS scenario in which an attacker constructs a malicious URL and lures a user to that address; once the user visits, the injected script runs in the user’s browser context. Even though current exploitation data is scarce, the vulnerability’s nature warrants prompt remediation.