Cyber Resilience

CVE-2025-22733

High

Published: 21 January 2025

Published
21 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0013 32.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22733 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-22733 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin My Auctions Allegro (my-auctions-allegro-free-edition) by wphocus. The issue affects all versions of the plugin from n/a through 3.6.18.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by injecting malicious scripts into reflected user input on affected sites, achieving scope-changed impacts with low confidentiality, integrity, and availability effects, such as session hijacking or client-side data theft for interacting users.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in the My Auctions Allegro plugin version 3.6.18 and provides details on mitigation.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.18.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Reflected XSS enables exploitation for client execution (T1203) via malicious links, directly facilitating arbitrary JavaScript execution (T1059.007) in the victim's browser for impacts like session hijacking.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24028Shared CWE-79
CVE-2026-9971Shared CWE-79
CVE-2024-53387Shared CWE-79
CVE-2025-25187Shared CWE-79
CVE-2025-26868Shared CWE-79
CVE-2025-69368Shared CWE-79
CVE-2026-7332Shared CWE-79
CVE-2025-0829Shared CWE-79
CVE-2026-42090Shared CWE-79
CVE-2026-3880Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information output filtering directly neutralizes malicious scripts in reflected user input during web page generation to prevent XSS exploitation.

prevent

Information input validation ensures malicious payloads in user inputs are rejected or sanitized before reflection in web pages.

prevent

Flaw remediation requires timely patching of the vulnerable WordPress plugin to eliminate the specific XSS vulnerability.

References