CVE-2025-46477 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'WP Customize Login Page' developed by Carlo La Pera. This vulnerability arises due to improper neutralization of user-supplied input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode input fields that are subsequently rendered on the login page, allowing an attacker to inject malicious JavaScript code that is stored persistently. When a legitimate user or administrator accesses the affected login page, the malicious script executes in their browser context. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of the user, or redirection to malicious sites. The affected versions include all versions up to and including 1.6.5, with no fixed patch currently available. Although no known exploits have been reported in the wild, the vulnerability was publicly disclosed on April 24, 2025, and is considered medium severity. The vulnerability does not require authentication to exploit, as the login page is publicly accessible, and exploitation only requires the attacker to submit crafted input that gets stored and later executed. The lack of a patch and the persistent nature of the XSS increase the risk of exploitation once attackers develop proof-of-concept code.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with the WP Customize Login Page plugin installed. Successful exploitation can compromise the confidentiality of user credentials and session tokens, leading to unauthorized access to administrative accounts. This can result in website defacement, data leakage, or further compromise of internal networks if the WordPress site serves as an entry point. Integrity of the login page and potentially other connected systems can be undermined by injected scripts. Availability impact is indirect but possible if attackers use the vulnerability to deploy malware or conduct phishing campaigns targeting users. Organizations in sectors such as finance, government, healthcare, and e-commerce are particularly at risk due to the sensitive nature of their data and regulatory requirements under GDPR. Additionally, the public accessibility of the login page means that attackers do not need insider access, increasing the attack surface. The medium severity rating reflects the balance between the ease of exploitation and the potential damage, but the absence of known exploits suggests that proactive mitigation can prevent incidents.

1. Immediate removal or deactivation of the WP Customize Login Page plugin until a secure patched version is released. 2. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the login page URL. 3. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and untrusted sources on the login page. 4. Conduct manual code review and apply custom input sanitization and output encoding if plugin modification is feasible. 5. Monitor web server and application logs for unusual input patterns or repeated attempts to inject scripts. 6. Educate administrators and users about phishing risks and suspicious login page behavior. 7. Regularly update WordPress core and plugins to minimize exposure to known vulnerabilities. 8. Use multi-factor authentication (MFA) on administrative accounts to reduce the impact of credential theft. 9. Prepare incident response plans specifically addressing web application compromise scenarios. These steps go beyond generic advice by focusing on compensating controls and proactive monitoring tailored to this specific plugin and vulnerability type.