CVE-2025-46477

The WP Customize Login Page plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw affects all versions up to and including 1.6.5, allowing attackers to inject arbitrary HTML and JavaScript code that is stored on the server and later executed in the context of the login page [1].

Exploitation requires an authenticated user with at least contributor-level privileges, and successful execution depends on a privileged user performing an action such as clicking a malicious link or visiting a crafted page. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

If exploited, an attacker can inject malicious scripts that may redirect visitors to phishing sites, display unwanted advertisements, or deliver other HTML payloads. These scripts execute whenever a guest or administrator accesses the affected login page, potentially compromising site integrity and user trust [1].

As an immediate mitigation, users should update the plugin to the latest available version. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. No workaround is provided, and the vendor has not released a patched version at the time of this writing [1].