CVE-2025-22768

CVE-2025-22768 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Rocket Media Library Mime Type by JinHan Park, which enables Stored Cross-Site Scripting (XSS). The issue affects all versions of the plugin from its initial release through 2.1.0 and is classified under CWE-352 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated attacker (PR:N) can exploit the vulnerability over the network (AV:N) by tricking a logged-in user, typically an administrator, into visiting a malicious webpage that requires user interaction (UI:R). This triggers a CSRF request to the plugin, allowing the attacker to store an XSS payload in the media library with low complexity (AC:L). The stored payload executes in the context of subsequent users viewing the affected media (S:C), potentially enabling arbitrary JavaScript execution to achieve low-level impacts on confidentiality, integrity, and availability, such as session theft or data exfiltration.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/rocket-media-library-mime-type/vulnerability/wordpress-rocket-media-library-mime-type-plugin-2-1-0-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve documents the CSRF-to-Stored XSS vulnerability in version 2.1.0 and provides details for mitigation in WordPress environments.