CVE-2025-2613 is a stored cross-site scripting vulnerability classified under CWE-79, found in the WordPress plugin 'Login Manager – Design Login Page, View Login Activity, Limit Login Attempts' developed by mehrazmorshed. The vulnerability affects all versions up to and including 2.0.5. It stems from improper neutralization of input during web page generation, specifically in the handling of custom logo and background URLs. These inputs are not sufficiently sanitized or escaped before being rendered, allowing an attacker with administrator-level privileges to inject arbitrary JavaScript code. The malicious script is stored persistently and executed whenever a user accesses the affected page, potentially compromising user sessions or performing unauthorized actions. This vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, which restricts the attack surface. The CVSS 3.1 base score is 4.4, indicating medium severity, with the vector showing network attack vector, high attack complexity, and requiring privileges but no user interaction. There are no known exploits in the wild at this time, and no patches have been linked yet. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling administrative functions and customizable UI elements.

The primary impact of CVE-2025-2613 is the potential for persistent cross-site scripting attacks within WordPress multi-site environments using the vulnerable plugin. An attacker with administrator privileges can inject malicious scripts that execute in the context of other administrators or users with elevated permissions. This can lead to session hijacking, unauthorized actions performed on behalf of users, theft of sensitive information such as authentication tokens, or defacement of administrative pages. Although the vulnerability does not directly affect availability, the integrity and confidentiality of the affected sites can be compromised. The requirement for administrator-level access limits the risk to insider threats or attackers who have already breached lower privilege levels. However, in large organizations or managed hosting environments with multiple administrators, the risk of lateral movement and privilege escalation increases. The vulnerability could also be leveraged as part of a broader attack chain to establish persistence or pivot to other systems. Organizations relying on multi-site WordPress installations with this plugin should consider the risk significant enough to warrant immediate attention.

To mitigate CVE-2025-2613, organizations should first verify if they are using the 'Login Manager – Design Login Page, View Login Activity, Limit Login Attempts' plugin, particularly in multi-site WordPress environments or where unfiltered_html is disabled. Since no official patch links are currently available, administrators should consider temporarily disabling the plugin or restricting administrator access to trusted personnel only. Review and sanitize all custom logo and background URL inputs manually if possible. Implement a Web Application Firewall (WAF) with rules to detect and block typical XSS payloads targeting this plugin. Monitor administrative activity logs for suspicious changes to UI customization settings. Educate administrators on the risks of injecting untrusted content and enforce the principle of least privilege to minimize the number of users with administrator rights. Regularly check for updates from the plugin vendor and apply patches promptly once released. Additionally, consider deploying Content Security Policy (CSP) headers to reduce the impact of any injected scripts. Conduct periodic security audits and vulnerability scans focusing on WordPress plugins and multi-site configurations.