CVE-2025-23505

High

Published: 03 March 2025

Published

03 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 29.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pantho Bihosh Pit Login Welcome pit-login-welcome allows Reflected XSS.This issue affects Pit Login Welcome: from n/a through <= 1.1.5.

Security Summary

CVE-2025-23505 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Pit Login Welcome WordPress plugin (pit-login-welcome). This issue impacts all versions from n/a through 1.1.5, as disclosed on March 3, 2025, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity by tricking an authenticated user into performing an action, such as clicking a malicious link. Exploitation changes the scope and enables execution of arbitrary scripts in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability.

Mitigation guidance and additional details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/pit-login-welcome/vulnerability/wordpress-pit-login-welcome-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/pit-login-welcome/vulnerability/wordpress-pit-login-welcome-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com