WordPress Plugin Vulnerabilities

WP Customize Login Page <= 1.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description

The WP Customize Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
wp-customize-login-page
No known fix

References

CVE
CVE-2025-46477
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/85be8ca3-e08e-4d6a-bc15-65a3435fb9f3

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Nabil Irawan
Verified
No
WPVDB ID
8da028bb-cb3c-41da-9308-1ea31a1338a8

Timeline

Publicly Published
2025-04-24 (about 11 months ago)
Added
2025-04-30 (about 11 months ago)
Last Updated
2025-04-30 (about 11 months ago)

Other

Published
Title
Published
2025-03-11
Title
Lunar <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-08-14
Title
Shortcode Redirect < 1.0.03 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-31
Title
WP Feature Box <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-25
Title
RegistrationMagic < 6.0.2.1 - Stored XSS
Published
2024-04-25
Title
XStore Core <= 5.3.5 - Reflected Cross-Site Scripting