CVE-2025-22552

CVE-2025-22552 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Affiliate Disclosure Statement WordPress plugin by bnielsen. This issue affects all versions of the plugin up to and including 0.3. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for scope change with limited impacts on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this CSRF vulnerability over the network by tricking a victim user—typically an authenticated WordPress administrator—into interacting with a malicious webpage, such as by clicking a crafted link. This enables the attacker to forge requests to the plugin, potentially leading to stored cross-site scripting (XSS) as noted in related advisories, allowing execution of arbitrary scripts in the context of the victim's browser and affecting other users who view the injected content.

The Patchstack advisory provides further details on this CSRF-to-stored-XSS vulnerability in Affiliate Disclosure Statement version 0.3 and recommends mitigation steps, available at https://patchstack.com/database/Wordpress/Plugin/affiliate-disclosure-statement/vulnerability/wordpress-affiliate-disclosure-statement-plugin-0-3-csrf-to-stored-xss-vulnerability?_s_id=cve. The CVE was published on 2025-01-07.