CVE-2025-47676

The User Login History plugin for WordPress versions 2.1.6 and earlier contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and later executed in the browser of any user viewing the login history logs.

Exploitation requires an authenticated user with at least contributor-level privileges to insert a malicious payload into a login history field. When a privileged user, such as an administrator, accesses the affected page, the injected script executes without further interaction [1]. This makes the attack particularly dangerous in multi-user WordPress environments where lower-privileged accounts may be compromised.

Successful exploitation enables the attacker to perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies. In a worst-case scenario, this could lead to full administrative control of the WordPress installation [1].

The vulnerability has been addressed in version 2.1.7 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely protection [1].