CVE-2025-22264
Published: 23 January 2025
Summary
CVE-2025-22264 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-22264 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Query Creator plugin (wp-query-creator) for WordPress. Developed by Patel, the issue affects the plugin from unknown initial versions through 1.0 inclusive. Published on 2025-01-23, it carries a CVSS v3.1 base score of 7.1.
The vulnerability enables exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and results in a changed scope (S:C) with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). Remote attackers can craft malicious inputs that reflect executable JavaScript when processed by the plugin during web page generation, typically via a malicious link or payload delivered through social engineering.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-query-creator/vulnerability/wordpress-wp-query-creator-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides additional details on the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2682
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Patel WP Query Creator wp-query-creator allows Reflected XSS.This issue affects WP Query Creator: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables direct exploitation of the web app (T1190) via crafted malicious links requiring user interaction (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents reflected XSS by requiring validation of user inputs to the WP Query Creator plugin, neutralizing malicious scripts before web page generation.
SI-15 comprehensively mitigates the CVE by filtering information outputs to prevent execution of injected JavaScript during web page rendering.
SI-2 addresses the vulnerability by mandating timely remediation of the XSS flaw in the WP Query Creator plugin versions through 1.0.