CVE-2025-22763

High

Published: 21 January 2025

Published

21 January 2025

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0013 31.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Brizy Pro allows Reflected XSS. This issue affects Brizy Pro: from n/a through 2.6.1.

Security Summary

CVE-2025-22763 is an improper neutralization of input during web page generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79, affecting the Brizy Pro WordPress plugin. Published on 2025-01-21, this issue impacts Brizy Pro versions from n/a through 2.6.1, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, though it requires user interaction, such as visiting a maliciously crafted URL. Exploitation changes the scope and enables limited impacts on confidentiality, integrity, and availability, allowing arbitrary JavaScript execution in the victim's browser context.

The Patchstack advisory provides further details on this vulnerability at https://patchstack.com/database/wordpress/plugin/brizy-pro/vulnerability/wordpress-brizy-pro-plugin-2-6-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

Affected Products

brizy

≤ 2.6.1

References

https://patchstack.com/database/wordpress/plugin/brizy-pro/vulnerability/wordpress-brizy-pro-plugin-2-6-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
Third Party Advisory · audit@patchstack.com