Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicu Micle Simple JWT Login simple-jwt-login allows Stored XSS.This issue affects Simple JWT Login: from n/a through <= 3.6.4.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting flaw that allows an attacker to inject arbitrary JavaScript into pages rendered by the WordPress site. The injected payload executes in the context of any user who views the affected page, potentially giving the attacker the ability to exfiltrate session cookies, steal credentials, or perform actions on behalf of the user. This does not provide direct remote code execution on the server but can enable phishing or credential theft attacks.

Affected Systems

The flaw exists in the Simple JWT Login plugin developed by Nicu Micle. All versions up to and including 3.6.4 are susceptible. No additional version information is provided beyond this upper bound.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity impact. The low EPSS score of less than 1% implies that exploitation is currently unlikely to be widespread or automated. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to supply malicious input—likely through the login or plugin configuration interfaces. This requirement is inferred from the stored nature of the XSS. Once stored, any visitor to the affected page would be impacted. Because the flaw appears not to require elevated privileges—a conclusion inferred from its stored nature—it can affect all site users, and mitigations should focus on validating and sanitizing input before storage.

Generated by OpenCVE AI on April 30, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple JWT Login plugin to version 3.6.5 or later.
  • If an update is unavailable, temporarily deactivate or uninstall the plugin to stop the injection vector.
  • Implement a Content Security Policy that disallows inline scripts or restricts script execution to trusted sources so that even if payloads are stored, they cannot run in the victim’s browser.

Generated by OpenCVE AI on April 30, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30532 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicu Micle Simple JWT Login allows Stored XSS. This issue affects Simple JWT Login: from n/a through 3.6.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicu Micle Simple JWT Login allows Stored XSS. This issue affects Simple JWT Login: from n/a through 3.6.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicu Micle Simple JWT Login simple-jwt-login allows Stored XSS.This issue affects Simple JWT Login: from n/a through <= 3.6.4.
Title WordPress Simple JWT Login Plugin <= 3.6.4 - Cross Site Scripting (XSS) Vulnerability WordPress Simple JWT Login plugin <= 3.6.4 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicu Micle Simple JWT Login allows Stored XSS. This issue affects Simple JWT Login: from n/a through 3.6.4.
Title WordPress Simple JWT Login Plugin <= 3.6.4 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:30:50.266Z

Reserved: 2025-09-03T09:03:20.489Z

Link: CVE-2025-58648

cve-icon Vulnrichment

Updated: 2025-09-23T16:00:18.862Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:14.663

Modified: 2026-04-23T15:33:31.410

Link: CVE-2025-58648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')