CVE-2025-22358

CVE-2025-22358 is an improper neutralization of input during web page generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79, in the WP Advertising Management WordPress plugin developed by Simone Marcon. The issue affects all versions of the plugin from n/a through 1.0.3 inclusive. Published on 2025-01-07, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and scope change despite requiring user interaction.

Remote attackers require no privileges and can exploit the vulnerability over the network with low complexity by tricking authenticated users into interacting with malicious content, such as clicking a crafted link or submitting tainted input that reflects executable scripts. Successful exploitation enables script injection into dynamically generated web pages viewed in the victim's browser, potentially compromising low levels of confidentiality (e.g., session data exposure), integrity (e.g., data tampering), and availability (e.g., denial of service), with impacts extending beyond the vulnerable component due to the changed scope.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/advertising-management/vulnerability/wordpress-wp-advertising-management-plugin-1-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.