CVE-2025-39408

The BruteGuard – Brute Force Login Protection plugin for WordPress versions 0.1.4 and below fails to properly neutralize user-supplied input during web page generation, leading to a reflected Cross-Site Scripting (XSS) vulnerability [1]. The root cause is a lack of sufficient sanitization or escaping of input that is reflected back to the user in the response.

An attacker can exploit this flaw by crafting a malicious link or form submission that, when interacted with by a privileged user (e.g., an administrator), injects arbitrary JavaScript into the page context [1]. The attack does not require direct site access, but relies on social engineering to lure the target user into clicking the crafted URL or submitting the form. No authentication is needed to trigger the reflection, but successful execution depends on a privileged user performing the action.

If exploited, an attacker can inject malicious scripts capable of redirecting visitors, displaying advertisements, or delivering other arbitrary HTML payloads [1]. This could compromise site integrity, lead to data exposure, or facilitate further attacks on site visitors. The CVSS score of 7.1 reflects the moderate to high severity, and the vulnerability is expected to be targeted in mass-exploit campaigns.

As of the publication date, no official patch has been released for BruteGuard; users are advised to apply a mitigation rule via a security plugin such as Patchstack until an update is available [1]. Immediate action is recommended to update the plugin or seek assistance from hosting providers to mitigate the risk.