This vulnerability in Ultimate AJAX Login (<= 1.2.1) combines CSRF and reflected XSS issues, enabling attackers to trick authenticated users into executing unwanted actions or injecting malicious scripts. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability. The vulnerability is publicly disclosed but lacks vendor-provided patch or mitigation details.

Successful exploitation could allow attackers to perform unauthorized actions with the privileges of the victim user and inject malicious scripts, potentially leading to partial compromise of confidentiality, integrity, and availability of the affected system. The scope change in the CVSS vector suggests the vulnerability may affect components beyond the initially vulnerable module.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting access to the Ultimate AJAX Login plugin to reduce exposure. Implementing standard CSRF protections and input validation may help mitigate risk, but specific vendor guidance should be followed once published.