CVE-2025-22766

CVE-2025-22766 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the WordPress plugin Zarinpal Paid Download (zarinpal-paid-downloads) developed by Masoud Amini. The issue impacts all versions from n/a through 2.3 inclusive. Published on 2025-01-15, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no privileges required, user interaction needed, and scope change with low impacts on confidentiality, integrity, and availability.

Attackers can exploit this vulnerability remotely over the network without authentication by crafting malicious payloads that reflect user input on the web page. Exploitation requires tricking an authenticated user, such as a site administrator or logged-in visitor, into interacting with a malicious link or input (e.g., via phishing or social engineering). Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser context, potentially leading to session hijacking, theft of sensitive data like cookies or tokens, or minor disruptions, though impacts remain low per the CVSS metrics.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/zarinpal-paid-downloads/vulnerability/wordpress-zarinpal-paid-download-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this WordPress plugin vulnerability and serves as a primary reference for affected versions up to 2.3. Security practitioners should verify plugin updates beyond version 2.3 for patches, apply input sanitization where feasible, and monitor sites running this plugin.