This issue exposes a Cross‑Site Request Forgery flaw that allows an attacker to inject malicious script into a victim’s browser through the My Login Logout Plugin. By exploiting a CSRF vector, an attacker can cause the plugin to store user‑controlled input as part of the plugin’s text, making the script persist across sessions and visible to all visitors of the WordPress site. Once executed, the stored XSS can steal session cookies, hijack account sessions, or deface the site. The vulnerability is classified as CWE‑352, which indicates that the security protection is lacking because no HTTP request token is validated.

The vulnerability affects the WordPress My Login Logout Plugin by nagarjunsonti, versions n/a through 2.4 inclusive. Any deployment of these versions on a WordPress site is potentially impacted.

The CVSS score of 7.1 indicates a high impact with medium to high exploitability. The EPSS score of less than 1% suggests that widespread exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a forged request sent from a legitimate user’s authenticated session, meaning that attackers need to convince a user to visit a malicious link or form. The combination of CSRF and stored XSS makes the risk significant for any site where administrative users are not limited to a narrow set of IP addresses or where no additional CSRF defenses are in place.