CVE-2025-22355
Published: 07 January 2025
Summary
CVE-2025-22355 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-22355 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Kikx Simple Post Author Filter WordPress plugin (sa-post-author-filter). This issue affects all versions of the plugin from n/a through 1.0 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by injecting malicious payloads into web pages generated by the plugin, leading to script execution in the context of a victim's browser. This enables potential theft of session cookies, keystroke logging, or page defacement, with low impacts to confidentiality, integrity, and availability but changed scope.
Patchstack documents this vulnerability in their WordPress plugin database, highlighting the Reflected XSS risk in Kikx Simple Post Author Filter version 1.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2754
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in asokaaso2 Kikx Simple Post Author Filter sa-post-author-filter allows Reflected XSS.This issue affects Kikx Simple Post Author Filter: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of a web application vulnerability for initial access and client-side script execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information Output Filtering directly prevents reflected XSS by encoding or filtering untrusted inputs reflected in web page generation by the plugin.
Information Input Validation blocks malicious payloads at entry, mitigating improper neutralization exploited in the plugin's post author filter.
Flaw Remediation addresses the specific vulnerability by patching or removing the affected Kikx Simple Post Author Filter plugin versions up to 1.0.