The vulnerability is a Reflected Cross‑Site Scripting flaw that allows an attacker to inject arbitrary JavaScript into the web pages generated by the WordPress Additional Logins plugin. By crafting malicious input that is echoed back in the response, a victim who visits a specially crafted URL could execute code in the context of the site, potentially stealing session cookies, defacing the site, or redirecting the user to phishing domains. The flaw directly impacts the confidentiality, integrity, and availability of the affected WordPress installation, as it can hijack user sessions or manipulate page content.

The vulnerability affects the WordPress Additional Logins plugin developed by niksudan, with all releases from the initial version through any release up to and including 1.0.0. WordPress sites that have this plugin installed and have not updated past the 1.0.0 release are at risk. No additional third‑party products are listed as affected.

The CVSS score is 7.1, indicating high severity. The EPSS score is less than 1 %, suggesting a low likelihood of widespread exploitation, and the vulnerability is not listed in CISA KEV, so no known active exploits have been reported. The likely attack vector is via a reflected XSS path: an attacker sends a crafted request containing malicious input to the plugin’s entry point, which the plugin echoes back without proper sanitization. This would typically require victim interaction, such as clicking a link or visiting a URL that incorporates the malicious payload, but no authenticated access is required to trigger the reflection.