## Description DOM-based Cross-Site Scripting vulnerability in [Easy Hide Login] WordPress plugin allows authenticated administrators to inject arbitrary JavaScript code via improperly sanitized href attribute in plugin settings. ## Vulnerability Details - Type: DOM-based Cross-Site Scripting (Self) - Privilege Required: Administrator - Attack Vector: Local - CVSS Score: 3.1 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N ## Proof of Concept ### Steps to Reproduce: 1. Login to WordPress as Administrator 2. Navigate to the plugin settings page 3. Locate the input field with ID `login_slug` 4. Inject the following payload: "><script>alert("xss"); or <h1>html injection</h1> **Vulnerable Code Structure:** ```html <a id="login_url" href="http://localhost?">http://localhost?</a> <input type="text" id="login_slug" name="slug">