CVE-2025-22294
Published: 07 January 2025
Summary
CVE-2025-22294 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 directly addresses improper neutralization of input during web page generation by requiring output filtering to prevent reflected XSS script injection.
SI-10 enforces validation of user inputs to the WordPress plugin, blocking malicious payloads that could lead to reflected XSS execution.
SI-2 mandates timely flaw remediation, such as patching the Custom Field For WP Job Manager plugin to version >1.3, eliminating the specific XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web app (T1190), delivery via malicious links (T1566.002), and arbitrary JS execution in victim browser (T1059.007).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theme funda Custom Field For WP Job Manager custom-field-for-wp-job-manager allows Reflected XSS.This issue affects Custom Field For WP Job Manager: from n/a through <= 1.3.
Deeper analysisAI
CVE-2025-22294 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Custom Field For WP Job Manager WordPress plugin (slug: custom-field-for-wp-job-manager), developed by theme funda, in all versions from n/a through 1.3 inclusive. The issue was published on 2025-01-07.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can inject and reflect malicious scripts via unsanitized input during web page generation, executing arbitrary JavaScript in the victim's browser context with changed scope to the site, potentially compromising low levels of confidentiality, integrity, and availability.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/custom-field-for-wp-job-manager/vulnerability/wordpress-custom-field-for-wp-job-manager-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, detail the Reflected XSS issue in plugin version 1.3 and provide vulnerability information for mitigation guidance.
Details
- CWE(s)