CVE-2025-22557

CVE-2025-22557 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the cdowp News Publisher Autopilot WordPress plugin (wpm-news-api). This issue affects all versions from n/a through 2.1.4. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting its network reachability, low complexity, lack of prerequisite privileges, requirement for user interaction, and elevated scope with low impacts across confidentiality, integrity, and availability.

Attackers can exploit this CSRF flaw without authentication by crafting malicious web pages, emails, or links that trick authenticated users into submitting unintended requests to the plugin. User interaction, such as visiting a malicious site, is required to trigger the forgery. Exploitation enables limited unauthorized access or modifications, leveraging the changed scope to affect the plugin's operations with low-level disruptions to data confidentiality, integrity, and availability.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/wpm-news-api/vulnerability/wordpress-news-publisher-autopilot-plugin-2-1-4-csrf-to-stored-xss-vulnerability?_s_id=cve) describes this as a CSRF-to-Stored XSS vulnerability in the News Publisher Autopilot plugin up to version 2.1.4. Security practitioners should consult the advisory for detailed mitigation guidance, including any available patches or workarounds.