CVE-2024-35732 in Custom Login Plugin
Summary
by MITRE • 06/08/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH Custom Login yith-custom-login.This issue affects YITH Custom Login: from n/a through <= 1.7.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/02/2026
The vulnerability identified as CVE-2024-35732 represents a critical cross-site scripting flaw within the YITH Custom Login plugin for WordPress, specifically impacting versions up to and including 1.7.0. This weakness falls under the category of improper input neutralization during web page generation, creating a pathway for malicious actors to inject client-side scripts into web applications. The vulnerability stems from the plugin's failure to adequately sanitize user-supplied input before incorporating it into dynamically generated web pages, thereby exposing the application to potential XSS attacks that could compromise user sessions and data integrity.
The technical implementation of this vulnerability allows attackers to exploit the lack of proper input validation and output encoding mechanisms within the YITH Custom Login plugin. When user input is processed and rendered within the plugin's web interface without appropriate sanitization, malicious scripts can be executed in the context of other users' browsers. This flaw typically occurs when the application directly incorporates user-provided data into HTML output without proper escaping or encoding, creating opportunities for attackers to inject malicious payloads that can steal cookies, session tokens, or perform unauthorized actions on behalf of authenticated users.
The operational impact of this vulnerability extends beyond simple script injection, potentially enabling attackers to perform session hijacking, deface websites, redirect users to malicious domains, or extract sensitive information from authenticated sessions. Given that this affects a widely used WordPress plugin, the potential attack surface is significant, particularly in environments where the plugin is installed on high-traffic websites or those managing sensitive user data. The vulnerability's exploitation requires minimal technical skill and can be automated, making it particularly dangerous for organizations that do not maintain up-to-date security practices. This weakness directly aligns with CWE-79 which defines improper neutralization of input during web page generation, and can be mapped to ATT&CK technique T1531 focusing on credential access through manipulation of authentication systems.
Organizations utilizing the affected YITH Custom Login plugin should immediately implement mitigations including updating to the latest available version that addresses this vulnerability, implementing proper input validation and output encoding mechanisms, and conducting thorough security assessments of all installed WordPress plugins. Additionally, administrators should consider implementing Content Security Policy headers to limit script execution, monitoring for suspicious user activity, and ensuring that all plugin updates are applied promptly to maintain security posture. The vulnerability highlights the critical importance of maintaining up-to-date software components and implementing robust input sanitization practices as fundamental security controls to prevent such cross-site scripting attacks from compromising web applications and user data.