CVE-2025-2613: 
WordPress vulnerability analysis and mitigation

The Login Manager – Design Login Page, View Login Activity, Limit Login Attempts plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-2613) discovered on April 17, 2025. This vulnerability affects all versions up to and including 2.0.5, specifically impacting multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the Custom logo and background URLs functionality. The CVSS v3.1 base score is 4.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring high privileges and high attack complexity (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page (NVD).

Users should update their Login Manager plugin to a version newer than 2.0.5 when available. Until then, administrators should be cautious when configuring custom logo and background URLs, especially in multi-site installations (NVD).