CVE-2025-22522

CVE-2025-22522 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Stored Cross-site Scripting (XSS) as classified under CWE-79. It affects the SingSong WordPress plugin developed by roya khosravi, with all versions from n/a through 1.2 inclusive being vulnerable. The issue was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, though it requires user interaction. The attack scenario involves CSRF leading to Stored XSS, where an attacker tricks an authenticated user—such as a site administrator—into submitting malicious input via a crafted request. This stores executable scripts on the site, which then activate in the victim's browser context upon viewing affected pages, potentially compromising session data or performing actions on the user's behalf, resulting in low impacts to confidentiality, integrity, and availability across a changed scope.

The Patchstack advisory provides details on mitigation: https://patchstack.com/database/Wordpress/Plugin/singsong/vulnerability/wordpress-singsong-plugin-1-2-csrf-to-stored-xss-vulnerability?_s_id=cve.