CVE-2025-39363: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability has been identified in AlphaEfficiencyTeam's Custom Login and Registration WordPress plugin, affecting all versions up to 1.0.0. The vulnerability was discovered by researcher Nguyen Ngoc Quang Bach (maysbachs) and was publicly disclosed on May 2, 2025 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.5 (Medium) from Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The National Vulnerability Database (NVD) has assigned a slightly lower CVSS score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

This vulnerability could allow malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site, potentially compromising user data and website integrity (Patchstack).

Currently, no official fix is available from the plugin developer. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider alternative authentication plugins (Patchstack).