Skip to main content

.htaccess Login block CVE-2025-27269

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:53 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound .htaccess Login block allows Reflected XSS. This issue affects .htaccess Login block: from n/a through 0.9a.

AnalysisAI

Reflected cross-site scripting in .htaccess Login block WordPress plugin versions up to 0.9a allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and malicious actions in the context of authenticated WordPress administrators. EPSS score of 0.09% (26th percentile) indicates low probability of widespread exploitation, and no active exploitation or public POC has been identified at time of analysis.

Technical ContextAI

This vulnerability stems from improper neutralization of user-supplied input before rendering it in HTML output (CWE-79). The plugin fails to sanitize or encode data received through HTTP parameters before reflecting it back in web pages, allowing attackers to inject arbitrary JavaScript. WordPress plugins that implement authentication or login features are common targets for XSS because they handle sensitive user interactions. The vulnerability affects all versions through 0.9a, with the 'n/a' starting point suggesting the flaw existed since initial release. The CVSS vector indicates a changed scope (S:C), meaning successful exploitation can affect resources beyond the vulnerable component itself, typical of XSS where attacker code executes in the victim's browser context with access to cookies, DOM, and session data across the same origin.

Affected ProductsAI

WordPress .htaccess Login block plugin versions from initial release through 0.9a are confirmed vulnerable per Patchstack advisory. The plugin is authored by NotFound and available through the WordPress plugin repository. No specific CPE identifier is included in available data. The vendor advisory at patchstack.com/database/wordpress/plugin/htaccess-login-block provides detailed vulnerability information.

RemediationAI

Update .htaccess Login block plugin to version 0.9b or later if available, as indicated by the 'through 0.9a' vulnerable range suggesting a patched version exists. Verify patch availability through the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/htaccess-login-block/vulnerability/wordpress-htaccess-login-block-plugin-0-9a-reflected-cross-site-scripting-xss-vulnerability. If no patched version is released, remove or disable the plugin and implement login protection through alternative methods such as server-level .htaccess password protection (not plugin-based), fail2ban for brute force prevention, or alternative WordPress security plugins with active maintenance. As a temporary compensating control, implement Content Security Policy headers to restrict inline script execution, though this may break legitimate plugin functionality and does not address the root vulnerability. Educate WordPress administrators to avoid clicking untrusted links while authenticated to reduce reflected XSS risk.

Share

CVE-2025-27269 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy