CVE-2025-68844

Vulnerability

Overview

The Membee Login plugin for WordPress (versions up to and including 2.3.6) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into the application's response.

Exploitation

Details

To exploit this vulnerability, an attacker must craft a malicious link or request that, when interacted with by a privileged user (such as an administrator), causes the injected script to execute in the context of the victim's browser [1]. User interaction is required, meaning the victim must click the link or visit a specially crafted page.

Impact

Successful exploitation enables the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which will be executed when other users visit the affected site [1]. This can lead to defacement, phishing, or further compromise of the WordPress installation.

Mitigation

The vulnerability is patched in version 2.3.7 of the plugin. Users are strongly advised to update immediately [1]. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update can be applied [1]. Given the potential for mass exploitation, prompt action is recommended.