CVE-2025-22320
Published: 07 January 2025
Summary
CVE-2025-22320 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-22320 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79, affecting the ProductDyno WordPress plugin. This issue impacts all versions of the plugin from unknown initial release through 1.0.24. The vulnerability was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required, though it necessitates user interaction, such as visiting a maliciously crafted URL. Exploitation occurs when unsanitized user input is reflected in the generated web page, allowing execution of arbitrary JavaScript in the victim's browser context. This enables limited impacts on confidentiality, integrity, and availability with changed scope, potentially leading to session hijacking, data theft, or further client-side compromise.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/productdyno/vulnerability/wordpress-productdyno-plugin-1-0-24-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the vulnerability in the ProductDyno WordPress plugin version 1.0.24 and serves as a primary reference for mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2720
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProductDyno ProductDyno productdyno allows Reflected XSS.This issue affects ProductDyno: from n/a through <= 1.0.24.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS directly enables browser session hijacking via arbitrary JS execution and facilitates exploitation of the public-facing WordPress plugin.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper neutralization of user input by requiring validation of inputs to prevent reflected XSS script injection in the ProductDyno plugin.
Mitigates reflected XSS by filtering and encoding information outputs before inclusion in dynamically generated web pages.
Requires identification, reporting, and correction of the specific flaw in ProductDyno versions through 1.0.24 to eliminate the XSS vulnerability.