CVE-2025-49037: 
WordPress vulnerability analysis and mitigation

The WordPress Authentication and xmlrpc log writer plugin versions 1.2.2 and below contain a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2025-49037). The vulnerability was discovered by Nguyen Xuan Chien and reported on July 29, 2025. This unauthenticated vulnerability allows attackers to inject malicious scripts into the web application (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS score of 7.1, indicating medium severity. It involves improper neutralization of input during web page generation, which allows attackers to inject arbitrary web scripts or HTML. The vulnerability requires no authentication to exploit, making it particularly dangerous (CISA).

If exploited, this vulnerability could allow malicious actors to inject scripts that can redirect users, display unwanted advertisements, and execute other HTML payloads on the affected website. These scripts would be executed when visitors access the compromised site. The software is considered abandoned, as it hasn't been updated in over a year, increasing the potential impact of this vulnerability (Patchstack).

As there is no official fix available, website administrators are advised to either remove and replace the plugin or implement virtual patching through security solutions. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).