CVE-2025-22705
Published: 14 February 2025
Summary
CVE-2025-22705 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-22705 is a Cross-Site Request Forgery (CSRF) vulnerability in the godthor Disqus Popular Posts WordPress plugin (disqus-popular-posts) that allows Reflected Cross-Site Scripting (XSS). This issue affects versions from n/a through <= 2.1.1 and is associated with CWE-352.
The vulnerability can be exploited by remote attackers requiring no privileges over a network vector with low attack complexity, though user interaction is required. Exploitation changes the scope and achieves low impacts on confidentiality, integrity, and availability, as reflected in its CVSS score of 7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Attackers can leverage CSRF to trick authenticated users into performing actions that trigger reflected XSS.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/disqus-popular-posts/vulnerability/wordpress-disqus-popular-posts-plugin-2-1-1-csrf-to-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this CSRF to Reflected XSS vulnerability in the Disqus Popular Posts plugin version 2.1.1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2931
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in godthor Disqus Popular Posts disqus-popular-posts allows Reflected XSS.This issue affects Disqus Popular Posts: from n/a through <= 2.1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF to reflected XSS in public-facing WordPress plugin enables T1190 (Exploit Public-Facing Application) and facilitates T1059.007 (JavaScript) for arbitrary script execution in browser.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the specific CSRF-to-reflected XSS flaw in the Disqus Popular Posts WordPress plugin.
Protects session authenticity using mechanisms like anti-CSRF tokens to block forged requests that trigger the reflected XSS vulnerability.
Enforces validation of inputs to detect and reject malicious payloads submitted via CSRF that would enable reflected XSS.