The vulnerability is an Improper Neutralization of Input During Web Page Generation that allows reflected XSS in the alvego Protected wp‑login plugin. An attacker can craft a malicious URL or form input that is reflected back to a victim’s browser, enabling the execution of arbitrary scripts in the context of the targeted WordPress site. This weakness can lead to session hijacking, defacement, or the delivery of further malware, compromising user confidentiality and the integrity of the site’s content.

WordPress installations that use the alvego Protected wp‑login plugin up to and including version 2.1 are impacted. The vulnerability has no dependency on external services or additional components beyond the plugin’s handling of login page requests.

The CVSS score of 7.1 indicates a high impact vulnerability, and the EPSS score of less than 1% suggests that, at present, exploitation activity is not widespread. The issue is not listed in the CISA KEV catalog, and no public exploit has been documented. The likely attack vector is web‑based, requiring an attacker to send a crafted request to the wp‑login URL that a victim will see or click, resulting in script execution in the victim’s browser. If the attacker controls session cookies or credentials, they can further compromise site resources.