CVE-2025-22760

CVE-2025-22760 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the CodeBard Help Desk WordPress plugin (codebard-help-desk). This issue affects all versions from n/a through 1.1.2 inclusive. The vulnerability was published on 2025-01-15 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

Attackers can exploit this Reflected XSS over the network with low attack complexity, requiring no privileges but user interaction, such as clicking a malicious link. Exploitation changes the security scope, enabling limited impacts on confidentiality, integrity, and availability. In practice, this allows injection of arbitrary scripts into web pages viewed by users, potentially leading to session hijacking, data theft, or further phishing within the victim's browser context.

The Patchstack advisory documents this vulnerability in the CodeBard Help Desk WordPress plugin version 1.1.2 and provides further technical details: https://patchstack.com/database/Wordpress/Plugin/codebard-help-desk/vulnerability/wordpress-codebard-help-desk-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.