CVE-2025-22506

High

Published: 13 January 2025

Published

13 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0009 25.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Smart Agenda Smart Agenda smart-agenda-prise-de-rendez-vous-en-ligne allows Stored XSS.This issue affects Smart Agenda: from n/a through <= 4.7.

Security Summary

CVE-2025-22506 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the Smart Agenda WordPress plugin (smart-agenda-prise-de-rendez-vous-en-ligne). This issue affects all versions of the plugin from an unspecified initial release through 4.7.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction needed, and changed scope with low impacts to confidentiality, integrity, and availability. Attackers can exploit it without authentication by leveraging CSRF to inject malicious payloads that enable stored XSS, allowing execution of scripts in the browser context of authenticated users or site visitors who view affected pages.

The Patchstack advisory provides further details on the vulnerability, documented as a CSRF-to-Stored XSS issue in Smart Agenda plugin version 4.7, available at https://patchstack.com/database/Wordpress/Plugin/smart-agenda-prise-de-rendez-vous-en-ligne/vulnerability/wordpress-smart-agenda-plugin-4-7-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/smart-agenda-prise-de-rendez-vous-en-ligne/vulnerability/wordpress-smart-agenda-plugin-4-7-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com