A Cross‑Site Request Forgery flaw in the ALD Login Page plugin enables an attacker to inject malicious script that is stored in the site’s database. When a victim subsequently visits the site, the injected script executes within the victim’s browser, potentially allowing session hijacking, defacement, or delivery of further payloads. The weakness is a missing or improper CSRF check, which is a classic technique to bypass user intent safeguards. The vulnerability is classified as CWE‑352 and carries a CVSS score of 7.1, indicating a significant threat to confidentiality, integrity, and availability of user data.

The issue is present in all releases of the hossainawlad ALD Login Page plugin from the initial release through version 1.1 on any WordPress installation that has the plugin installed. No specific WordPress core versions were listed, so any WordPress site using the vulnerable plugin may be impacted.

The EPSS score of less than 1% suggests that widespread exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the flaw allows a stored XSS via a CSRF vector, it is feasible for an attacker with write access or the ability to craft the initial request to the plugin to compromise users. The likely attack vector is an unauthenticated or low‑privilege request that tricks a logged‑in user into submitting data that the plugin stores and later delivers as part of the page content. Given the CVSS score of 7.1, an effective exploit would provide an attacker with a high‑impact attack surface on affected sites.