.htaccess Login block CVE-2025-27269
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound .htaccess Login block allows Reflected XSS. This issue affects .htaccess Login block: from n/a through 0.9a.
AnalysisAI
Reflected cross-site scripting in .htaccess Login block WordPress plugin versions up to 0.9a allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and malicious actions in the context of authenticated WordPress administrators. EPSS score of 0.09% (26th percentile) indicates low probability of widespread exploitation, and no active exploitation or public POC has been identified at time of analysis.
Technical ContextAI
This vulnerability stems from improper neutralization of user-supplied input before rendering it in HTML output (CWE-79). The plugin fails to sanitize or encode data received through HTTP parameters before reflecting it back in web pages, allowing attackers to inject arbitrary JavaScript. WordPress plugins that implement authentication or login features are common targets for XSS because they handle sensitive user interactions. The vulnerability affects all versions through 0.9a, with the 'n/a' starting point suggesting the flaw existed since initial release. The CVSS vector indicates a changed scope (S:C), meaning successful exploitation can affect resources beyond the vulnerable component itself, typical of XSS where attacker code executes in the victim's browser context with access to cookies, DOM, and session data across the same origin.
Affected ProductsAI
WordPress .htaccess Login block plugin versions from initial release through 0.9a are confirmed vulnerable per Patchstack advisory. The plugin is authored by NotFound and available through the WordPress plugin repository. No specific CPE identifier is included in available data. The vendor advisory at patchstack.com/database/wordpress/plugin/htaccess-login-block provides detailed vulnerability information.
RemediationAI
Update .htaccess Login block plugin to version 0.9b or later if available, as indicated by the 'through 0.9a' vulnerable range suggesting a patched version exists. Verify patch availability through the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/htaccess-login-block/vulnerability/wordpress-htaccess-login-block-plugin-0-9a-reflected-cross-site-scripting-xss-vulnerability. If no patched version is released, remove or disable the plugin and implement login protection through alternative methods such as server-level .htaccess password protection (not plugin-based), fail2ban for brute force prevention, or alternative WordPress security plugins with active maintenance. As a temporary compensating control, implement Content Security Policy headers to restrict inline script execution, though this may break legitimate plugin functionality and does not address the root vulnerability. Educate WordPress administrators to avoid clicking untrusted links while authenticated to reduce reflected XSS risk.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today