CVE-2025-22320

CVE-2025-22320 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79, affecting the ProductDyno WordPress plugin. This issue impacts all versions of the plugin from unknown initial release through 1.0.24. The vulnerability was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required, though it necessitates user interaction, such as visiting a maliciously crafted URL. Exploitation occurs when unsanitized user input is reflected in the generated web page, allowing execution of arbitrary JavaScript in the victim's browser context. This enables limited impacts on confidentiality, integrity, and availability with changed scope, potentially leading to session hijacking, data theft, or further client-side compromise.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/productdyno/vulnerability/wordpress-productdyno-plugin-1-0-24-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the vulnerability in the ProductDyno WordPress plugin version 1.0.24 and serves as a primary reference for mitigation guidance.