CVE-2025-22590

High

Published: 07 January 2025

Published

07 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0013 32.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in mmrs151 Prayer Times Anywhere prayer-times-anywhere allows Stored XSS.This issue affects Prayer Times Anywhere: from n/a through <= 2.0.1.

Security Summary

CVE-2025-22590 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Prayer Times Anywhere (prayer-times-anywhere) by mmrs151 that allows Stored XSS. The issue affects versions from n/a through 2.0.1 and is associated with CWE-352. It received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no privileges required, user interaction needed, and scope change with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely by tricking authenticated users into visiting a malicious webpage that submits a forged request, enabling the storage of XSS payloads. Once stored, these payloads execute in the context of other users viewing affected pages, potentially leading to session hijacking, data theft, or further site compromise within the plugin's scope.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/prayer-times-anywhere/vulnerability/wordpress-prayer-times-anywhere-plugin-2-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/prayer-times-anywhere/vulnerability/wordpress-prayer-times-anywhere-plugin-2-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com