CVE-2025-25149

High

Published: 07 February 2025

Published

07 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 28.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-25149 is a Cross-Site Request Forgery (CSRF) vulnerability in the Danillo Nunes Login-box WordPress plugin that allows Stored Cross-Site Scripting (XSS). This issue affects all versions of the Login-box plugin from unknown initial versions through 2.0.4 inclusive.

A remote attacker with no required privileges can exploit this vulnerability by tricking a user into submitting a malicious request, such as via a crafted webpage, leading to the storage of an XSS payload. The CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates network accessibility, low attack complexity, user interaction requirement, and changed scope, with low impacts on confidentiality, integrity, and availability.

Patchstack's advisory documents this CSRF to Stored XSS vulnerability specifically in the WordPress Login-box plugin up to version 2.0.4, providing details on the issue for affected installations.

Details

CWE(s): CWE-352

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CSRF to Stored XSS in public-facing WordPress plugin directly enables exploitation of a web application via network-accessible vector with user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Plugin/login-box/vulnerability/wordpress-login-box-plugin-2-0-4-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com