CVE-2025-22330
Published: 09 January 2025
Summary
CVE-2025-22330 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses reflected XSS by filtering web page outputs to neutralize malicious scripts before they execute in the victim's browser.
Validates and sanitizes user inputs to the MG Parallax Slider plugin, preventing crafted payloads from being improperly reflected.
Ensures timely identification, reporting, and patching of the specific flaw in MG Parallax Slider versions through 1.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS via malicious link enables spearphishing link delivery (T1566.002), user execution of malicious link (T1204.001), and JavaScript execution in browser (T1059.007).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mahesh Waghmare MG Parallax Slider mg-parallax-slider allows Reflected XSS.This issue affects MG Parallax Slider: from n/a through <= 1.0..
Deeper analysisAI
CVE-2025-22330 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the MG Parallax Slider WordPress plugin (mg-parallax-slider) developed by Mahesh Waghmare. This issue affects all versions of the plugin from n/a through 1.0 inclusive, as documented in the CVE description published on 2025-01-09.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with crafted input reflected in web pages generated by the plugin, achieving arbitrary script execution in the victim's browser context with changed scope and low impacts to confidentiality, integrity, and availability.
Patchstack advisories detail the Reflected XSS vulnerability specifically in MG Parallax Slider version 1.0 for WordPress, available at https://patchstack.com/database/Wordpress/Plugin/mg-parallax-slider/vulnerability/wordpress-mg-parallax-slider-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)