CVE-2025-27333: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Protected wp-login WordPress plugin, affecting versions up to and including 2.1. The vulnerability was discovered by Nguyen Xuan Chien and publicly disclosed on February 21, 2025. This security issue has been assigned CVE-2025-27333 and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (Patchstack, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the Protected wp-login plugin. It has received varying CVSS scores from different sources: a CVSS v3.1 Base Score of 7.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L according to Patchstack, and a score of 6.1 (MEDIUM) according to WPScan (Patchstack, WPScan).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link. The potential impact includes the ability for attackers to inject malicious scripts, redirects, advertisements, and other HTML payloads into the website, which will be executed when guests visit the site (Patchstack).

Currently, there is no official fix available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the mitigation immediately (Patchstack).