CVE-2025-23547

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0035 57.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shawfactor LH Login Page lh-login-page allows Reflected XSS.This issue affects LH Login Page: from n/a through <= 2.14.

Security Summary

CVE-2025-23547 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the shawfactor LH Login Page WordPress plugin (lh-login-page). This issue affects all versions from n/a through 2.14 inclusive, as published on 2025-01-16.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, but user interaction such as clicking a malicious link. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with crafted input on the login page, achieving limited impacts to confidentiality, integrity, and availability within the victim's browser scope, such as potential session token theft or malicious script execution.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/lh-login-page/vulnerability/wordpress-lh-login-page-plugin-2-14-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the WordPress LH Login Page plugin version 2.14.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/lh-login-page/vulnerability/wordpress-lh-login-page-plugin-2-14-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com