CVE-2025-22775

CVE-2025-22775 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the idiatech Catalog Importer, Scraper & Crawler WordPress plugin (intelligent-importer). This issue impacts all versions from n/a through 5.1.3. The vulnerability has a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

A remote, unauthenticated attacker can exploit this Reflected XSS by crafting malicious input that is reflected and executed in the victim's browser upon user interaction, such as clicking a specially prepared link. Exploitation enables arbitrary JavaScript execution in the context of the affected site, potentially allowing the attacker to steal session tokens, cookies, or other sensitive data from authenticated users, or perform other client-side attacks.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/intelligent-importer/vulnerability/wordpress-catalog-importer-scraper-crawler-plugin-5-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the vulnerability in the WordPress Catalog Importer, Scraper & Crawler plugin up to version 5.1.3.