CVE-2025-23716

Vulnerability

Overview

Login Watchdog, a WordPress plugin used for monitoring login attempts, contains a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.0.4. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker with contributor-level or higher privileges to inject arbitrary JavaScript or HTML into plugin pages [1].

Exploitation

Conditions

Successful exploitation requires a privileged user (e.g., contributor or above) to inject the malicious payload via a form or other input field. The injected script is then stored and executed when any visitor — including administrators — loads the affected page. No URL-based trigger is needed; the payload runs automatically upon page render due to the stored nature of the XSS [1].

Impact

An authenticated attacker can leverage this XSS to perform actions on behalf of other users, redirect visitors to malicious sites, display fake advertisements, or steal session cookies. The vulnerability is noted as being moderately dangerous and likely to be included in mass-exploit campaigns, targeting WordPress sites regardless of traffic size [1].

Mitigation

Status

As of publication, the vendor has not released an official patch. The recommended immediate action is to update the plugin once a patched version becomes available. In the interim, site administrators can apply a mitigation rule from Patchstack, which blocks attacks until an official fix is released. If unable to update, users should consult their hosting provider or web developer for assistance [1].