CVE-2025-23792

The Passwordless WP – Login with your glance or fingerprint plugin for WordPress versions up to and including 1.1.6 is vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of user-supplied input during web page generation [1]. This flaw occurs when the plugin reflects unvalidated data back to the user without proper escaping, enabling an attacker to embed arbitrary JavaScript or HTML in a crafted URL.

Exploitation requires a privileged user (e.g., an administrator) to interact with a malicious link, visit a specially crafted page, or submit a form [1]. The attacker does not need authentication beyond luring the target, but the victim must be logged into the WordPress admin interface for the script to execute in that context. The vulnerability is considered moderately dangerous and is expected to be targeted in mass-exploit campaigns, as it can affect thousands of sites regardless of their size or popularity [1].

Successful exploitation allows an attacker to inject malicious scripts that can perform redirections, display advertisements, or deliver other HTML payloads when visitors access the compromised page [1]. This could lead to defacement, credential theft, or further compromise of the site if the injected script issues administrative actions on behalf of the victim.

The vendor has not yet released an official patch, but Patchstack has provided a mitigation rule to block attacks until a proper update is available [1]. As an immediate action, users should update the plugin to the latest version if a patch is released, or contact their hosting provider for assistance in applying temporary mitigations [1].