This vulnerability results from improper input neutralization in the Calvaweb Password only login plugin. The weakness type is CWE‑79, indicating improper neutralization of input during web page generation that enables Cross‑Site Scripting. A maliciously crafted HTTP request can cause the plugin to echo unsanitized input back into the generated page, enabling reflected XSS. An attacker can use the reflected script to run arbitrary client‑side code, which may lead to credential theft, defacement, or redirection.

The flaw affects all installations of the Password only login plugin with a version identifier of 0.2 or earlier, including any custom or older builds since the beginning of version tracking. This WordPress plugin is distributed by Calvaweb and is used on sites that rely solely on password authentication.

The vulnerability carries a CVSS score of 7.1, indicating high severity. However, the EPSS value of less than 1% suggests a low probability of exploitation currently, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is on the web interface: a user or attacker submits a crafted query string or form field that is reflected in the login page. An exposed user can therefore be tricked into executing malicious code. Until a patch is applied, systems remain vulnerable to XSS attacks.