CVE-2025-26547
Published: 13 February 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-26547 is a Cross-Site Request Forgery (CSRF) vulnerability in the My Login Logout Plugin (my-loginlogout) for WordPress, developed by nagarjunsonti. The flaw enables Stored Cross-Site Scripting (XSS) and affects the plugin from unspecified initial versions through 2.4 inclusive.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, requiring user interaction such as clicking a malicious link. Exploitation leverages CSRF to inject stored XSS payloads, achieving a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), which changes the scope and results in low impacts to confidentiality, integrity, and availability as scripts execute in the context of affected users.
The Patchstack advisory provides further details on this vulnerability, including potential mitigation guidance, accessible at https://patchstack.com/database/Wordpress/Plugin/my-loginlogout/vulnerability/wordpress-my-login-logout-plugin-plugin-2-4-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote exploitation via CSRF to stored XSS; requires user interaction with malicious link to trigger injection.