CVE-2025-23792 is a reflected Cross-site Scripting (XSS) vulnerability identified in the WordPress plugin 'Passwordless WP – Login with your glance or fingerprint' developed by WP Busters. This plugin enables passwordless authentication using biometric methods such as facial recognition or fingerprint scanning. The vulnerability exists due to improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and executed in the context of the victim's browser. Specifically, the reflected XSS occurs when crafted input is included in HTTP responses without adequate sanitization or encoding, enabling attackers to execute arbitrary JavaScript code. This can lead to theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the user. The affected versions include all releases up to and including version 1.1.6. No CVSS score has been assigned yet, and no public exploits are known at this time. The vulnerability does not require authentication to exploit but does require user interaction, such as clicking a malicious link. Given the plugin's role in authentication, exploitation could undermine the security of passwordless login mechanisms, potentially allowing attackers to bypass intended security controls. The issue was published on January 27, 2025, and is tracked under CVE-2025-23792. No official patches or mitigation links have been provided yet, indicating that users should apply defensive measures proactively.

The impact of CVE-2025-23792 is significant for organizations using the affected WordPress plugin, as successful exploitation can compromise user sessions and credentials, undermining the integrity and confidentiality of user authentication. Attackers can execute arbitrary scripts in users' browsers, potentially leading to session hijacking, redirection to malicious sites, or theft of sensitive data. Since the plugin facilitates passwordless biometric logins, exploitation could erode trust in this authentication method and expose users to account takeover risks. For organizations relying on this plugin for secure access, the vulnerability could lead to unauthorized access, data breaches, and reputational damage. The reflected nature of the XSS means attacks require user interaction, but phishing or social engineering can facilitate this. The scope is limited to websites using this specific plugin, but given WordPress's widespread use, the potential reach is considerable. No known exploits in the wild reduce immediate risk, but the vulnerability remains a critical concern until patched. The availability impact is minimal, but confidentiality and integrity impacts are high.

To mitigate CVE-2025-23792, organizations should first check for updates or patches from WP Busters and apply them promptly once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on all user-supplied data within the plugin's context. Deploying a robust Content Security Policy (CSP) can help restrict the execution of unauthorized scripts and reduce the risk of XSS exploitation. Web Application Firewalls (WAFs) with XSS detection rules can provide temporary protection by blocking malicious payloads. Site administrators should educate users about phishing risks and avoid clicking suspicious links. Reviewing and limiting plugin usage to trusted sources and considering alternative authentication plugins with better security track records is advisable. Regular security audits and monitoring for unusual activity related to authentication flows can help detect exploitation attempts early. Finally, isolating critical authentication components and enforcing least privilege principles can reduce potential damage.