CVE-2025-2613 is a stored Cross-Site Scripting vulnerability (CWE-79) in the Login Manager – Design Login Page, View Login Activity, Limit Login Attempts WordPress plugin by mehrazmorshed. The flaw exists in the handling of custom logo and background URLs, where insufficient input sanitization and output escaping allow authenticated users with administrator-level permissions to inject arbitrary web scripts. These scripts execute when any user accesses the affected pages. The vulnerability specifically impacts multi-site WordPress installations or those with the unfiltered_html capability disabled. The CVSS 3.1 base score is 4.4 (medium), reflecting network attack vector, high attack complexity, high privileges required, no user interaction, scope changed, and low confidentiality and integrity impact.

An authenticated attacker with administrator-level permissions can inject persistent malicious scripts into the plugin's pages via custom logo and background URLs. These scripts execute in the context of users visiting the affected pages, potentially leading to session hijacking, defacement, or other client-side impacts. The vulnerability does not affect single-site installations or those with unfiltered_html enabled. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — no official fix or patch links are currently available. Users should monitor the vendor's advisory channels for updates. Until a fix is released, restrict administrator access to trusted users only and consider disabling multi-site features or enabling unfiltered_html if feasible to reduce exposure. Avoid using custom logo and background URLs in affected plugin versions.