CVE-2025-50016

Vulnerability

Overview

The IP Based Login plugin for WordPress versions up to and including 2.4.2 contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browsers of visitors [1].

Exploitation

To exploit this vulnerability, an attacker must have at least contributor-level access to the WordPress site, allowing them to insert malicious payloads via IP-based login fields. The attack requires user interaction, such as a privileged user clicking a crafted link or visiting a specially prepared page. Once the payload is stored, any user visiting the affected page will execute the script [1].

Impact

Successful exploitation enables the attacker to perform actions such as redirecting users to malicious sites, displaying advertisements, or stealing session cookies. This can lead to further compromise of the site and its users, although the CVSS score of 5.9 (Medium) indicates a moderate severity [1].

Mitigation

The vulnerability is patched in version 2.4.3 of the IP Based Login plugin. Users are strongly advised to update immediately. If unable to update, administrators can consider disabling the plugin or implementing a web application firewall (WAF) to block malicious input. Auto-updates can be enabled for Patchstack users [1].