CVE-2025-22704

CVE-2025-22704 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS), in the WordPress Signature plugin developed by Abinav Thakuri (wordpress-signature). This issue affects all versions of the plugin from n/a through 0.1 inclusive. Published on 2025-02-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79.

A remote attacker with network access can exploit this vulnerability with low complexity and no required privileges, though it requires user interaction such as clicking a malicious link. Successful exploitation enables the attacker to inject and execute arbitrary scripts in a victim's browser context due to reflected XSS, potentially leading to low-impact confidentiality, integrity, and availability effects with a changed scope, such as session hijacking or data theft from authenticated users.

Patchstack advisories document this vulnerability, accessible via their database entry at https://patchstack.com/database/Wordpress/Plugin/wordpress-signature/vulnerability/wordpress-wordpress-signature-plugin-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve, which provides details on affected versions and recommended mitigations.