CVE-2025-22337

CVE-2025-22337 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Order Audit Log for WooCommerce WordPress plugin developed by infosoftplugin, with the issue present in all versions from n/a through 2.0 inclusive.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no privileges required, and user interaction such as clicking a malicious link. Attackers can achieve low impacts on confidentiality, integrity, and availability with a changed scope, typically allowing execution of arbitrary scripts in the victim's browser context to steal session data or perform other client-side actions.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/order-audit-log-for-woocommerce/vulnerability/wordpress-order-audit-log-for-woocommerce-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this Reflected XSS issue in plugin version 2.0 and associated mitigation guidance for affected WordPress installations.