CVE-2025-23587

Vulnerability

Overview

The all-in-one-box-login plugin for WordPress (versions up to and including 2.0.1) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a page, which is then executed in the context of the victim's browser.

Exploitation

Details

Exploitation requires user interaction: an attacker must trick a privileged user (e.g., an administrator) into clicking a crafted link or visiting a specially prepared page [1]. The vulnerability is classified as reflected XSS, meaning the malicious payload is part of the request and is immediately reflected back in the response. No authentication is needed to deliver the payload, but the target user must be logged into the WordPress site for the attack to succeed.

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the victim's browser. This can lead to session hijacking, redirection to malicious sites, injection of advertisements, or theft of sensitive information such as cookies or login credentials [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites.

Mitigation

The vendor has not yet released an official patch, but users are strongly advised to update the plugin as soon as a fixed version becomes available. In the interim, a mitigation rule from Patchstack can block attacks until a patch can be safely applied [1]. If updating is not possible, consulting a hosting provider or web developer for additional security measures is recommended.