CVE-2025-22688

CVE-2025-22688 is a Cross-Site Request Forgery (CSRF) vulnerability in the Unlimited Page Sidebars WordPress plugin developed by Ederson Peka, which enables Stored XSS. This issue affects all versions of the plugin from n/a through 0.2.6 inclusive. The vulnerability is classified under CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely by tricking authenticated users—such as site administrators—into visiting a malicious webpage that submits a forged request. This CSRF action injects a Stored XSS payload into the plugin's sidebars, which then executes in the context of other users viewing affected pages. Successful exploitation allows limited theft of sensitive data, modification of site content, or minor disruptions, though impacts remain low per the CVSS metrics.

The Patchstack advisory provides further details on this vulnerability, including technical analysis and affected configurations, accessible at https://patchstack.com/database/Wordpress/Plugin/unlimited-page-sidebars/vulnerability/wordpress-unlimited-page-sidebars-plugin-0-2-6-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should advise WordPress site operators using the plugin to update to a version beyond 0.2.6, where the issue is addressed.