CVE-2025-22336

CVE-2025-22336 is a Cross-Site Request Forgery (CSRF) vulnerability in the Wizhi Multi Filters by Wenprise WordPress plugin that allows Stored Cross-Site Scripting (XSS). This issue affects all versions of the plugin from n/a through 1.8.6 inclusive and is associated with CWE-352. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), highlighting its network accessibility, low complexity, lack of required privileges, user interaction requirement, and scope change with low impacts on confidentiality, integrity, and availability.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely (AV:N) by tricking authenticated users, such as site administrators, into interacting with a malicious request (UI:R), such as via a crafted link or form submission lacking proper CSRF tokens. Successful exploitation enables the storage of malicious XSS payloads on the site, which execute in the context of other users viewing affected content, potentially leading to session hijacking, data theft, or further site compromise.

The Patchstack advisory documents this CSRF-to-Stored XSS vulnerability specifically in the Wizhi Multi Filters by Wenprise WordPress plugin up to version 1.8.6, serving as a key reference for vulnerability details and collection within their database.