CVE-2025-22767
Published: 28 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-22767 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-Site Scripting (XSS) as classified under CWE-79. It affects the Global Payments WooCommerce WordPress plugin (global-payments-woocommerce) in all versions from n/a through 1.13.2.
An unauthenticated attacker can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no privileges required (PR:N), but it necessitates user interaction (UI:R), such as clicking a malicious link. Exploitation allows arbitrary script execution in the context of the victim's browser, yielding low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) with a changed scope (S:C), for an overall CVSS v3.1 score of 7.1.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/global-payments-woocommerce/vulnerability/wordpress-globalpayments-woocommerce-plugin-1-12-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides further details on the vulnerability.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin allows remote exploitation via crafted malicious links that execute arbitrary scripts in the victim's browser.