CVE-2025-22586
Published: 13 January 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dstoever WPEX Replace DB Urls wpex-replace allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through <= 0.4.0.
Security Summary
CVE-2025-22586 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin WPEX Replace DB Urls (wpex-replace) by dstoever. The issue affects all versions from n/a through 0.4.0 inclusive. Published on 2025-01-13, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or authentication but relying on user interaction, such as clicking a malicious link. Exploitation changes the security scope, enabling limited impacts on confidentiality, integrity, and availability, such as injecting scripts into reflected user input to steal session cookies or perform actions in the authenticated user's browser context on affected WordPress sites.
The Patchstack advisory provides further details on this vulnerability, available at https://patchstack.com/database/Wordpress/Plugin/wpex-replace/vulnerability/wordpress-wpex-replace-db-urls-plugin-0-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)