Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Faiyaz Alam User Login History user-login-history allows Stored XSS.This issue affects User Login History: from n/a through <= 2.1.6.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The User Login History plugin does not properly neutralize input before rendering it on the login history page, allowing attackers to store malicious scripts that are executed whenever a visitor loads the page. This flaw enables a stored XSS condition that can affect any user who views the compromised page.

Affected Systems

The vulnerability exists in the WordPress plugin User Login History developed by Faiyaz Alam. All versions from the initial release through version 2.1.6 are affected. Any WordPress site that has this plugin installed and has not upgraded beyond 2.1.6 is vulnerable.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity impact. The EPSS score is below 1 %, implying a low probability of active exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply malicious input that the plugin stores and later displays, typically through an authenticated user interface, to trigger the stored XSS when a visitor loads the login history page.

Generated by OpenCVE AI on April 30, 2026 at 20:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the User Login History plugin to a version newer than 2.1.6 that incorporates the XSS fix.
  • If an upgrade is not possible, disable or remove the plugin to eliminate the vulnerability.
  • For future development, verify that any data stored or rendered by the plugin is properly sanitized and escaped using WordPress functions such as esc_html() or esc_attr() to prevent stored XSS.

Generated by OpenCVE AI on April 30, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13728 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Faiyaz Alam User Login History allows Stored XSS. This issue affects User Login History: from n/a through 2.1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Faiyaz Alam User Login History allows Stored XSS. This issue affects User Login History: from n/a through 2.1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Faiyaz Alam User Login History user-login-history allows Stored XSS.This issue affects User Login History: from n/a through <= 2.1.6.
Title WordPress User Login History <= 2.1.6 - Cross Site Scripting (XSS) Vulnerability WordPress User Login History plugin <= 2.1.6 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00045}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Faiyaz Alam User Login History allows Stored XSS. This issue affects User Login History: from n/a through 2.1.6.
Title WordPress User Login History <= 2.1.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:49.058Z

Reserved: 2025-05-07T10:45:27.459Z

Link: CVE-2025-47676

cve-icon Vulnrichment

Updated: 2025-05-07T17:18:43.880Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:19.703

Modified: 2026-04-23T15:30:43.710

Link: CVE-2025-47676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:30:26Z

Weaknesses