CVE-2025-22775
Published: 03 February 2025
Summary
CVE-2025-22775 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses improper neutralization of input during web page generation by filtering output to prevent reflected XSS script execution in victims' browsers.
Validates untrusted inputs to the WordPress plugin, blocking malicious payloads that could be reflected as executable JavaScript.
Remediates the specific flaw in the intelligent-importer plugin through timely identification, reporting, and patching up to version 5.1.3.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application). Arbitrary JS execution facilitates stealing web session cookies (T1539).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in idiatech Catalog Importer, Scraper & Crawler intelligent-importer allows Reflected XSS.This issue affects Catalog Importer, Scraper & Crawler: from n/a through <= 5.1.3.
Deeper analysisAI
CVE-2025-22775 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the idiatech Catalog Importer, Scraper & Crawler WordPress plugin (intelligent-importer). This issue impacts all versions from n/a through 5.1.3. The vulnerability has a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.
A remote, unauthenticated attacker can exploit this Reflected XSS by crafting malicious input that is reflected and executed in the victim's browser upon user interaction, such as clicking a specially prepared link. Exploitation enables arbitrary JavaScript execution in the context of the affected site, potentially allowing the attacker to steal session tokens, cookies, or other sensitive data from authenticated users, or perform other client-side attacks.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/intelligent-importer/vulnerability/wordpress-catalog-importer-scraper-crawler-plugin-5-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the vulnerability in the WordPress Catalog Importer, Scraper & Crawler plugin up to version 5.1.3.
Details
- CWE(s)