CVE-2025-22313
Published: 09 January 2025
Summary
CVE-2025-22313 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-22313 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the OTWthemes Widgetize Pages Light WordPress plugin (widgetize-pages-light). This issue affects all versions of the plugin from n/a through 3.0 inclusive. The vulnerability was published on 2025-01-09 and carries a CVSS v3.1 base score of 7.1.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation enables reflected XSS, allowing attackers to inject and execute malicious scripts in the context of a victim's browser, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) but with a changed scope (S:C).
Mitigation details are available in advisories such as the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/widgetize-pages-light/vulnerability/wordpress-widgetize-pages-light-plugin-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2713
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Widgetize Pages Light widgetize-pages-light allows Reflected XSS.This issue affects Widgetize Pages Light: from n/a through <= 3.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables remote exploitation via malicious links (T1190, T1204.001) and arbitrary JavaScript execution in victim browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of output prior to rendering in web pages, directly preventing reflected XSS by neutralizing malicious scripts injected via untrusted input in the Widgetize Pages Light plugin.
SI-10 enforces validation of information inputs to block malicious script injection, comprehensively addressing the improper neutralization vulnerability in this reflected XSS issue.
SI-2 mandates identification and correction of system flaws, enabling patching of the specific XSS vulnerability in all versions of the Widgetize Pages Light WordPress plugin up to 3.0.