CVE-2025-22690

High

Published: 03 February 2025

Published

03 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0003 8.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in DigiTimber DigiTimber cPanel Integration digitimber-cpanel-integration allows Stored XSS.This issue affects DigiTimber cPanel Integration: from n/a through <= 1.4.6.

Security Summary

CVE-2025-22690 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the DigiTimber cPanel Integration WordPress plugin (digitimber-cpanel-integration). This flaw allows for Stored XSS and affects all versions from n/a through 1.4.6. The vulnerability was published on 2025-02-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated attacker can exploit this over the network with low attack complexity by tricking a user, typically an authenticated administrator, into interacting with a malicious webpage (UI:R). This CSRF action enables the storage of an XSS payload, which executes in the victim's browser context with changed scope (S:C), potentially leading to low-level impacts on confidentiality, integrity, and availability, such as session hijacking or data theft from the affected site.

The Patchstack advisory provides further details on this WordPress plugin vulnerability at https://patchstack.com/database/Wordpress/Plugin/digitimber-cpanel-integration/vulnerability/wordpress-digitimber-cpanel-integration-plugin-1-4-6-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/digitimber-cpanel-integration/vulnerability/wordpress-digitimber-cpanel-integration-plugin-1-4-6-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com