Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JkmAS Login Watchdog login-watchdog allows Stored XSS.This issue affects Login Watchdog: from n/a through <= 1.0.4.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Login Watchdog plugin for WordPress contains an input sanitization flaw that allows stored cross‑site scripting. An attacker who can submit data to the plugin can embed a malicious script that is later served to any user who views the affected page. If the victim is logged in, the attacker may hijack the session, steal cookies, or perform other malicious actions within the context of the authenticated user. The vulnerability qualifies as a high‑severity cross‑site scripting flaw (CVSS 7.1).

Affected Systems

The issue affects the JkmAS Login Watchdog plugin, versions up to and including 1.0.4. Any WordPress installation that has Login Watchdog 1.0.4 or earlier installed is vulnerable.

Risk and Exploitability

The CVSS base score of 7.1 indicates a major impact when exploited. The EPSS score is below 1%, meaning current exploitation likelihood is low, yet the presence of stored XSS provides a persistent attack vector that can affect all users browsing the site. The vulnerability is not yet enumerated in the CISA KEV catalog. Attackers typically gain control by submitting malicious input through administrative interfaces or user‑reporting forms within the plugin, a scenario inferred from typical plugin behavior, although the CVE description does not explicitly specify the exact vector.

Generated by OpenCVE AI on May 2, 2026 at 08:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Login Watchdog plugin to a version newer than 1.0.4, or remove it entirely if an update is unavailable.
  • Disable or delete the plugin if it cannot be updated, to prevent stored payloads from being served.
  • Configure a stringent Content Security Policy and implement additional input validation for any custom fields in the plugin to mitigate future XSS risks.

Generated by OpenCVE AI on May 2, 2026 at 08:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5701 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Login Watchdog allows Stored XSS. This issue affects Login Watchdog: from n/a through 1.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Login Watchdog allows Stored XSS. This issue affects Login Watchdog: from n/a through 1.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JkmAS Login Watchdog login-watchdog allows Stored XSS.This issue affects Login Watchdog: from n/a through <= 1.0.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Login Watchdog allows Stored XSS. This issue affects Login Watchdog: from n/a through 1.0.4.
Title WordPress Login Watchdog plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:17.788Z

Reserved: 2025-01-16T11:28:39.048Z

Link: CVE-2025-23716

cve-icon Vulnrichment

Updated: 2025-03-04T21:46:13.435Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:45.270

Modified: 2026-06-17T08:56:37.753

Link: CVE-2025-23716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:00:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')