CVE-2025-23568
Published: 14 February 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fredsted WP Login Attempt Log wp-login-attempt-log allows Reflected XSS.This issue affects WP Login Attempt Log: from n/a through <= 1.3.
Security Summary
CVE-2025-23568 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Login Attempt Log WordPress plugin by fredsted. The issue affects the wp-login-attempt-log plugin in all versions from n/a through 1.3 inclusive.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable remotely over the network with low attack complexity and no privileges required, though it demands user interaction. Attackers can trick authenticated or unauthenticated users into accessing a maliciously crafted link or page, leading to arbitrary script execution in the victim's browser within the context of the affected site and with changed scope to cross-origin, enabling limited impacts on confidentiality, integrity, and availability such as session hijacking or minor data manipulation.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-login-attempt-log/vulnerability/wordpress-wp-login-attempt-log-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in wp-login-attempt-log version 1.3 and provides details relevant to mitigation for WordPress administrators.
Details
- CWE(s)