CVE-2025-47622: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability has been identified in the apasionados Email Notification on Login WordPress plugin, affecting versions through 1.6.1. The vulnerability was discovered on May 7, 2025, and has been assigned CVE-2025-47622 (NVD, Wiz).

The vulnerability has been classified with a CVSS v3.1 base score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires high privileges (PR:H), user interaction (UI:R), and has a changed scope (S:C). The impact levels for confidentiality, integrity, and availability are all rated as low (C:L/I:L/A:L) (Patchstack).

If exploited, this vulnerability could allow an attacker to inject malicious scripts into the website. These scripts could be used to redirect users, inject unwanted advertisements, or execute other HTML payloads that would be triggered when users visit the affected site (Patchstack).

As of the vulnerability disclosure, no official fix is available for this issue. The software appears to be abandoned as it has not received updates for over a year. Users are strongly advised to consider removing and replacing the plugin with an alternative solution (Patchstack).