CVE-2025-23540
Published: 23 January 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mohsin Khan WP Front-end login and register wp-front-end-login-and-register allows Reflected XSS.This issue affects WP Front-end login and register: from n/a through <= 2.1.0.
Security Summary
CVE-2025-23540 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Front-end login and register plugin developed by Mohsin Khan. This issue affects the plugin from unknown initial versions through version 2.1.0 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by injecting malicious scripts into web pages viewed by users, potentially leading to low-impact effects on confidentiality, integrity, and availability, with a changed scope that may affect resources beyond the vulnerable component, such as session hijacking or phishing within the victim's browser context.
Patchstack's advisory provides details on the Reflected XSS vulnerability in WP Front-end login and register version 2.1.0. Security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/wp-front-end-login-and-register/vulnerability/wordpress-wp-front-end-login-and-register-plugin-2-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for recommended mitigations and patch information.
Details
- CWE(s)