CVE-2025-23792 Overview
CVE-2025-23792 is a reflected Cross-Site Scripting (XSS) vulnerability in the WP Busters Passwordless WP – Login with your glance or fingerprint WordPress plugin. The flaw affects all plugin versions up to and including 1.1.6. It stems from improper neutralization of user-supplied input during web page generation [CWE-79]. An attacker can craft a malicious URL that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser session. The vulnerability requires user interaction and operates over the network without prior authentication.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in a victim's browser, leading to session hijacking, credential theft, or unauthorized actions within the WordPress site context.
Affected Products
- WP Busters Passwordless WP – Login with your glance or fingerprint plugin
- All versions from initial release through 1.1.6
- WordPress sites running the passwordless-wp plugin
Discovery Timeline
- 2025-01-27 - CVE-2025-23792 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-23792
Vulnerability Analysis
The vulnerability is a reflected Cross-Site Scripting (XSS) flaw classified under [CWE-79]. The plugin accepts user-controlled input and reflects it back into HTTP responses without proper sanitization or output encoding. When the response is rendered in the victim's browser, the injected payload executes within the origin of the affected WordPress site.
The Exploit Prediction Scoring System (EPSS) places this issue at a probability of 0.206%, placing it in the 42nd percentile of known vulnerabilities. While no public proof-of-concept has been published, reflected XSS in WordPress plugins is a well-understood class of issue with established exploitation patterns.
The attack changes scope because injected scripts execute under the affected site's origin and can interact with cookies, session storage, and the WordPress administrative interface if the victim is authenticated.
Root Cause
The plugin fails to apply WordPress output escaping functions such as esc_html(), esc_attr(), or wp_kses() to user-supplied parameters before echoing them into the generated HTML. This permits HTML and JavaScript injection through request parameters that are subsequently reflected in plugin-rendered pages.
Attack Vector
An attacker delivers a crafted URL to a victim through phishing, social engineering, or third-party site links. When the victim visits the URL, the malicious payload reflects into the response and executes in the browser. If the victim is an authenticated WordPress administrator, the attacker can perform privileged actions including creating admin accounts, modifying content, or installing malicious plugins.
The vulnerability mechanism is described in the Patchstack WordPress XSS Vulnerability advisory. No verified exploitation code has been published.
Detection Methods for CVE-2025-23792
Indicators of Compromise
- Unusual outbound requests from administrator browsers to attacker-controlled domains shortly after visiting plugin URLs
- WordPress audit log entries showing unexpected administrator account creation or plugin installation
- HTTP access logs containing requests to passwordless-wp endpoints with parameters carrying <script>, javascript:, or HTML-encoded payloads
Detection Strategies
- Inspect web server logs for query strings containing encoded or raw script tags targeting plugin endpoints
- Deploy a Web Application Firewall (WAF) rule that flags reflected XSS patterns in requests to wp-content/plugins/passwordless-wp/
- Correlate suspicious referrer headers with administrator authentication events in WordPress logs
Monitoring Recommendations
- Enable verbose request logging for plugin-related URLs and retain logs for forensic review
- Monitor WordPress user role changes, new admin accounts, and plugin installations for unauthorized activity
- Track browser Content Security Policy (CSP) violation reports submitted by administrator sessions
How to Mitigate CVE-2025-23792
Immediate Actions Required
- Deactivate the Passwordless WP plugin until a patched release is verified and installed
- Audit WordPress administrator accounts and recently installed plugins for unauthorized changes
- Force a password reset and session invalidation for all administrative users who may have clicked suspicious links
Patch Information
At the time of publication, the advisory affects versions through 1.1.6 with no fixed version explicitly stated in the source CVE record. Site operators should consult the Patchstack advisory for the latest fix availability and update the plugin to the most recent release published by WP Busters.
Workarounds
- Disable or uninstall the passwordless-wp plugin until a verified patched version is available
- Deploy a WAF rule blocking requests containing script tags or javascript: URIs against plugin paths
- Implement a strict Content Security Policy that forbids inline scripts and restricts script sources to trusted origins
- Train administrators to avoid clicking unsolicited links pointing to the WordPress site
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
