CVE-2025-22705

High

Published: 14 February 2025

Published

14 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0008 23.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in godthor Disqus Popular Posts disqus-popular-posts allows Reflected XSS.This issue affects Disqus Popular Posts: from n/a through <= 2.1.1.

Security Summary

CVE-2025-22705 is a Cross-Site Request Forgery (CSRF) vulnerability in the godthor Disqus Popular Posts WordPress plugin (disqus-popular-posts) that allows Reflected Cross-Site Scripting (XSS). This issue affects versions from n/a through <= 2.1.1 and is associated with CWE-352.

The vulnerability can be exploited by remote attackers requiring no privileges over a network vector with low attack complexity, though user interaction is required. Exploitation changes the scope and achieves low impacts on confidentiality, integrity, and availability, as reflected in its CVSS score of 7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Attackers can leverage CSRF to trick authenticated users into performing actions that trigger reflected XSS.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/disqus-popular-posts/vulnerability/wordpress-disqus-popular-posts-plugin-2-1-1-csrf-to-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this CSRF to Reflected XSS vulnerability in the Disqus Popular Posts plugin version 2.1.1.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/disqus-popular-posts/vulnerability/wordpress-disqus-popular-posts-plugin-2-1-1-csrf-to-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com