CVE-2025-22570

High

Published: 13 January 2025

Published

13 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0009 25.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdjekic Inline Tweets inline-tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through <= 2.0.

Security Summary

CVE-2025-22570 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the Inline Tweets WordPress plugin by mdjekic. The issue affects all versions of the plugin from n/a through 2.0 inclusive. Published on 2025-01-13, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability over the network with low attack complexity and no required privileges, though successful exploitation requires user interaction. By injecting malicious payloads through the plugin's input handling, adversaries can store scripts that execute in the browser context of authenticated or other users viewing affected pages, potentially leading to low impacts on confidentiality, integrity, and availability within a changed scope.

The Patchstack advisory provides further details on the vulnerability, including mitigation recommendations, at https://patchstack.com/database/Wordpress/Plugin/inline-tweets/vulnerability/wordpress-inline-tweets-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/inline-tweets/vulnerability/wordpress-inline-tweets-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com