WordPress Plugin Vulnerabilities

Login with AJAX Plugin <= 3.1.6 - Cross-Site Scripting (XSS)

Description

In version 3.1.7 changelog -> "Fixed XSS security vulnerability on LWA settings page allowing code injection if an authorized user follows a properly structured url to that page, this does not affect the security of the login forms, only the settings page. Kudos Neven Biruski from DefenceCode for responsible disclosure."

Affects Plugins

Plugin icon
login-with-ajax
Fixed in 3.1.7

References

URL
https://wordpress.org/plugins/login-with-ajax/#developers

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
Chris Atomix
Submitter website
https://www.atomix.com.au
Verified
No
WPVDB ID
5c7acb7c-1459-41f2-900a-c68d1c57d5e3

Timeline

Publicly Published
2017-04-11 (about 9 years ago)
Added
2017-05-02 (about 9 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2025-12-16
Title
WP Recipe Maker < 10.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-05-30
Title
Simple Spoiler < 1.3 - Admin+ Stored XSS
Published
2025-10-16
Title
Kallyas <= 4.22.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-03
Title
Vayu Blocks <= 1.4.4 - Contributor+ Stored XSS
Published
2024-06-06
Title
Kenta Blocks – Responsive Blocks and block templates library < 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting