CVE-2025-31459: Login Alert CSRF Vulnerability

CVE-2025-31459 Overview

CVE-2025-31459 is a Cross-Site Request Forgery (CSRF) vulnerability in the PasqualePuzio Login Alert WordPress plugin that chains into Stored Cross-Site Scripting (XSS). The flaw affects all versions of the login-alert plugin up to and including 0.2.1. An attacker who tricks an authenticated administrator into visiting a crafted page can submit unauthorized requests to the plugin, persisting malicious script payloads into plugin-controlled storage. The stored payload then executes in the browser of any user who views the affected page. The weakness is tracked as CWE-352.

Critical Impact

A successful attack persists attacker-controlled JavaScript in a WordPress site, enabling session theft, administrative account takeover, and arbitrary actions performed in the context of authenticated users.

Affected Products

• PasqualePuzio Login Alert plugin for WordPress
• All versions from initial release through 0.2.1
• WordPress sites with the login-alert plugin installed and active

Discovery Timeline

• 2025-03-28 - CVE-2025-31459 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-31459

Vulnerability Analysis

The vulnerability combines two distinct web application weaknesses into a single exploitation chain. The Login Alert plugin exposes a state-changing endpoint that lacks CSRF token validation. An attacker hosts a malicious page containing an auto-submitting form or fetch request that targets the plugin's settings handler. When an authenticated administrator visits the page, the browser submits the forged request using the administrator's session cookies.

Because the same endpoint also fails to sanitize or encode user-supplied input before storing it, the forged request writes attacker-controlled JavaScript into the plugin's persistent configuration. The payload is later rendered in plugin output pages without escaping, producing Stored XSS. Exploitation requires user interaction, which is reflected in the CVSS vector component UI:R, and the scope change (S:C) reflects script execution crossing into the WordPress administrative context.

Root Cause

The root cause is missing anti-CSRF protection on plugin form submissions, compounded by missing output encoding on stored configuration fields. The plugin does not validate a WordPress nonce via wp_verify_nonce() or check_admin_referer() before processing requests, and it does not apply esc_html() or esc_attr() when rendering stored values.

Attack Vector

The attack is delivered over the network and requires no privileges on the target system. An attacker crafts a page that issues a forged POST request to the vulnerable plugin endpoint. The administrator must be authenticated to WordPress and must visit the attacker-controlled page or click a malicious link. After the request lands, any subsequent visit to the affected admin or front-end page renders the injected script in the visitor's browser. See the Patchstack Vulnerability Advisory for additional technical context.

No verified public proof-of-concept code is available for this issue. The exploitation mechanism is described in prose based on the advisory.

Detection Methods for CVE-2025-31459

Indicators of Compromise

• Unexpected <script> tags, event handlers, or encoded JavaScript stored in Login Alert plugin options within the WordPress wp_options table
• Outbound requests from administrator browsers to unknown domains shortly after visiting external links
• Creation of new WordPress administrator accounts or modification of existing user roles without a corresponding audit trail

Detection Strategies

• Inspect plugin-controlled rows in wp_options for HTML or JavaScript content where plain text is expected
• Review web server access logs for POST requests to Login Alert plugin endpoints originating from external Referer headers
• Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution on WordPress admin pages

Monitoring Recommendations

• Alert on administrative actions performed immediately after navigation from non-WordPress referrers
• Monitor file integrity for WordPress core and plugin directories to detect secondary payloads dropped after XSS execution
• Track failed and successful authentication events for privileged accounts and correlate them with plugin configuration changes

How to Mitigate CVE-2025-31459

Immediate Actions Required

• Deactivate and remove the Login Alert plugin on any site running version 0.2.1 or earlier until a patched release is confirmed
• Audit the wp_options table for stored script payloads in Login Alert configuration entries and remove malicious content
• Force password resets and invalidate active sessions for all WordPress administrator accounts

Patch Information

No fixed version is identified in the advisory at the time of publication. The vulnerability affects the plugin through version 0.2.1. Review the Patchstack Vulnerability Advisory for updates on a patched release.

Workarounds

• Remove the login-alert plugin from production WordPress installations and replace it with an actively maintained login notification plugin
• Restrict access to /wp-admin/ using IP allowlisting at the web server or WAF layer to reduce CSRF exposure
• Enforce a strict Content Security Policy that disallows inline scripts in the WordPress administrative interface
• Require administrators to use separate browser profiles or sessions for WordPress management to limit cross-site request exposure

# Disable and remove the vulnerable plugin via WP-CLI
wp plugin deactivate login-alert
wp plugin delete login-alert

# Search the options table for suspicious stored content
wp db query "SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%login_alert%' AND option_value REGEXP '<script|onerror=|onload=';"