CVE-2025-58960

The IP Based Login plugin for WordPress versions up to and including 2.4.3 suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This means that input provided by an authenticated user with contributor-level privileges or higher is not sanitized before being stored and later displayed to site visitors [1].

Exploitation requires the attacker to have at least contributor-level access to the WordPress site. The attacker can submit a crafted payload through a form or other input field; when an administrator or other privileged user views the stored content, the script executes in their browser session. Because the attack depends on a higher-privileged user performing an action (e.g., visiting a page), user interaction is required [1].

The impact is moderate but can lead to serious consequences: an attacker can inject arbitrary JavaScript that redirects visitors, displays advertisements, steals session cookies, or performs other actions within the context of the authenticated user's session. This can result in site defacement, credential theft, or further compromise of the WordPress installation [1].

Patched versions are available. The vendor has released IP Based Login 2.4.4 which resolves the vulnerability. Users are strongly advised to update immediately. If updating is not possible, enabling automatic updates for vulnerable plugins can help mitigate the risk [1].