CVE-2025-22682

CVE-2025-22682 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Hesabfa Accounting WordPress plugin developed by Saeed Sattar Beglou. This issue affects the plugin from unknown initial versions through 2.1.2. Published on 2025-02-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope.

Remote attackers can exploit this vulnerability by tricking authenticated or unauthenticated users into interacting with maliciously crafted links or inputs that trigger reflected XSS payloads on affected sites. Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially enabling session token theft, account takeover, or phishing within the site's domain. The changed scope (S:C) amplifies risks by allowing cross-origin effects, though impacts on confidentiality, integrity, and availability remain low.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/hesabfa-accounting/vulnerability/wordpress-hesabfa-accounting-plugin-2-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the flaw in the Hesabfa Accounting plugin up to version 2.1.2. Practitioners should review this reference for vendor-recommended mitigations, such as applying available patches or hardening configurations against XSS.