CVE-2025-22356
Published: 28 March 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-22356 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Stencies WordPress plugin. This issue impacts all versions of Stencies from n/a through 0.58 inclusive. The vulnerability was published on 2025-03-28 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, though it necessitates user interaction, such as visiting a maliciously crafted URL. Upon successful exploitation, adversaries can inject and execute arbitrary scripts in the victim's browser context due to the changed scope, resulting in low impacts to confidentiality, integrity, and availability, such as potential session hijacking or data theft within the site's domain.
The primary advisory from Patchstack, available at https://patchstack.com/database/Wordpress/Plugin/stencies/vulnerability/wordpress-stencies-plugin-0-58-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, documents the Reflected XSS flaw specifically in Stencies plugin version 0.58 and provides details relevant to mitigation for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser (T1059.007), directly facilitating browser session hijacking and data theft (T1185); exploitation typically involves delivering a crafted malicious URL via spearphishing (T1566.002).