Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arildur Read More Login read-more-login allows Stored XSS.This issue affects Read More Login: from n/a through <= 2.0.3.
Published: 2025-06-06
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows a stored cross‑site scripting flaw in the arildur Read More Login plugin. Based on the description, the likely attack vector is the submission of malicious input through the plugin’s data entry points, which is then stored and later rendered in WordPress pages, enabling injection of malicious scripts.

Affected Systems

WordPress installations that use the arildur Read More Login plugin version 2.0.3 or earlier are vulnerable. All accounts of the plugin released through that version contain the flaw.

Risk and Exploitability

The moderate CVSS score of 5.9 reflects the potential for impact. The EPSS score is below 1 %, indicating a low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is the submission of malicious input via the plugin’s data entry points, which is then stored and executed when the content is displayed.

Generated by OpenCVE AI on May 2, 2026 at 08:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the current Read More Login plugin version on the WordPress site and, if it is 2.0.3 or older, obtain an updated release from the vendor or the linked advisory and apply the update as soon as it becomes available.
  • If an upgrade cannot be implemented immediately, disable the plugin or restrict access to its input interfaces to prevent new stored content.
  • Implement generic output encoding or sanitization for any user‑supplied data that the plugin processes, mitigating the risk of future XSS injection.

Generated by OpenCVE AI on May 2, 2026 at 08:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17178 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arildur Read More Login allows Stored XSS. This issue affects Read More Login: from n/a through 2.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arildur Read More Login allows Stored XSS. This issue affects Read More Login: from n/a through 2.0.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arildur Read More Login read-more-login allows Stored XSS.This issue affects Read More Login: from n/a through <= 2.0.3.
Title WordPress Read More Login <= 2.0.3 - Cross Site Scripting (XSS) Vulnerability WordPress Read More Login plugin <= 2.0.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 06 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arildur Read More Login allows Stored XSS. This issue affects Read More Login: from n/a through 2.0.3.
Title WordPress Read More Login <= 2.0.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:52.308Z

Reserved: 2025-03-11T08:10:44.966Z

Link: CVE-2025-28989

cve-icon Vulnrichment

Updated: 2025-06-06T16:10:34.539Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:29.600

Modified: 2026-06-17T09:05:00.377

Link: CVE-2025-28989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')