CVE-2025-22733
Published: 21 January 2025
Summary
CVE-2025-22733 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-22733 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin My Auctions Allegro (my-auctions-allegro-free-edition) by wphocus. The issue affects all versions of the plugin from n/a through 3.6.18.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by injecting malicious scripts into reflected user input on affected sites, achieving scope-changed impacts with low confidentiality, integrity, and availability effects, such as session hijacking or client-side data theft for interacting users.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in the My Auctions Allegro plugin version 3.6.18 and provides details on mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2951
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.18.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables exploitation for client execution (T1203) via malicious links, directly facilitating arbitrary JavaScript execution (T1059.007) in the victim's browser for impacts like session hijacking.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information output filtering directly neutralizes malicious scripts in reflected user input during web page generation to prevent XSS exploitation.
Information input validation ensures malicious payloads in user inputs are rejected or sanitized before reflection in web pages.
Flaw remediation requires timely patching of the vulnerable WordPress plugin to eliminate the specific XSS vulnerability.