CVE-2025-26547
Published: 13 February 2025
Summary
CVE-2025-26547 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-26547 is a Cross-Site Request Forgery (CSRF) vulnerability in the My Login Logout Plugin (my-loginlogout) for WordPress, developed by nagarjunsonti. The flaw enables Stored Cross-Site Scripting (XSS) and affects the plugin from unspecified initial versions through 2.4 inclusive.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, requiring user interaction such as clicking a malicious link. Exploitation leverages CSRF to inject stored XSS payloads, achieving a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), which changes the scope and results in low impacts to confidentiality, integrity, and availability as scripts execute in the context of affected users.
The Patchstack advisory provides further details on this vulnerability, including potential mitigation guidance, accessible at https://patchstack.com/database/Wordpress/Plugin/my-loginlogout/vulnerability/wordpress-my-login-logout-plugin-plugin-2-4-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4215
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in nagarjunsonti My Login Logout Plugin my-loginlogout allows Stored XSS.This issue affects My Login Logout Plugin: from n/a through <= 2.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote exploitation via CSRF to stored XSS; requires user interaction with malicious link to trigger injection.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly patches the CSRF to stored XSS vulnerability in the My Login Logout Plugin versions through 2.4, eliminating the exploit path.
Information input validation rejects malicious XSS payloads injected via CSRF into the plugin, preventing their storage and subsequent execution.
Session authenticity protections, such as anti-CSRF tokens, block unauthorized forged requests that exploit the plugin to store XSS payloads.