CVE-2017-15867
MEDIUMuser-login-history < 1.5.2 - Cross-Site Scripting via Multiple Listing Parameters
Title source: llmDescription
Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/faiyazalam/WordPress-plugin-user-login-history/commit/519341a7dece59e2c589b908a636e6cf12a61741
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/8939
Scores
CVSS v3
6.1
EPSS
0.0104
EPSS Percentile
59.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
user-login-history_project/user-login-history
< 1.5.2
Published
Oct 24, 2017
Tracked Since
Feb 18, 2026