CVE-2025-22711

High

Published: 21 January 2025

Published

21 January 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0014 33.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thomas Maier Image Source Control image-source-control-isc allows Reflected XSS.This issue affects Image Source Control: from n/a through <= 2.29.0.

Security Summary

CVE-2025-22711 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS), in the WordPress plugin Image Source Control (image-source-control-isc) by Thomas Maier. The issue affects all versions of the plugin from n/a through 2.29.0 and is classified under CWE-79.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network by unauthenticated attackers with low attack complexity, though it requires user interaction such as clicking a malicious link. Exploitation changes the scope and allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to execute arbitrary scripts in the context of a victim's browser.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/image-source-control-isc/vulnerability/wordpress-image-source-control-lite-plugin-2-29-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in Image Source Control version 2.29.0 and provides details on mitigation, which includes updating the plugin beyond the affected versions.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/image-source-control-isc/vulnerability/wordpress-image-source-control-lite-plugin-2-29-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com