CVE-2025-22341

CVE-2025-22341 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Hide Login+ (hide-login) WordPress plugin by parswp. This issue affects all versions of the plugin up to and including 3.5.1.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can exploit it by tricking authenticated or unauthenticated users—such as site administrators or visitors—into interacting with maliciously crafted input reflected in web pages, such as via a phishing link. Successful exploitation enables limited impacts on confidentiality, integrity, and availability within a changed scope, potentially allowing script execution in the victim's browser context.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/hide-login/vulnerability/wordpress-hide-login-plugin-3-5-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this Reflected XSS vulnerability specifically in Hide Login+ version 3.5.1 and provides further technical details for mitigation.