CVE-2025-22501
Published: 28 March 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-22501 is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability, classified as CWE-80, in the Improve My City WordPress plugin (improve-my-city). This reflected XSS issue affects all versions of the plugin from n/a through 1.6.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). An unauthenticated attacker accessible over the network can exploit it with low complexity by tricking a user into performing an action, such as visiting a malicious link, which reflects attacker-controlled input containing script elements. Exploitation changes the scope and results in low impacts to confidentiality, integrity, and availability in the victim's browser context.
Patchstack provides details on this vulnerability in their advisory at https://patchstack.com/database/Wordpress/Plugin/improve-my-city/vulnerability/wordpress-improve-my-city-plugin-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve, which security practitioners should consult for mitigation guidance and patch information.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser via a crafted malicious link.