CVE-2024-13836: 
WordPress vulnerability analysis and mitigation

The WP Login Control WordPress plugin through version 2.0.0 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Hassan Khan Yusufzai and publicly disclosed on February 18, 2025. The issue affects the plugin's parameter handling in the admin interface, which fails to properly sanitize and escape user input before reflecting it back to the page (WPScan).

The vulnerability exists due to improper sanitization and escaping of a parameter in the admin interface. When the parameter is output back in the page, it can lead to a Reflected Cross-Site Scripting attack. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. A proof of concept exploit involves accessing the URL: http://example.com/wp-admin/admin.php?page=loin_ctrl_forms&order=1">alert(1) (WPScan).

The vulnerability can be exploited against high-privilege users such as administrators. If successfully exploited, an attacker could execute arbitrary JavaScript code in the context of the targeted user's browser session, potentially leading to unauthorized actions, data theft, or session hijacking (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the WP Login Control plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).