CVE-2025-22776
Published: 15 January 2025
Summary
CVE-2025-22776 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-22776 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Bulletin Board plugin (wp-bulletin-board) for WordPress developed by codebycarter. This issue affects all versions of the plugin from n/a through 1.1.4.
Attackers with network access can exploit this vulnerability without authentication or privileges, requiring low attack complexity and user interaction, such as visiting a malicious link. Exploitation enables script execution in the victim's browser context with a changed scope, resulting in low impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The Patchstack advisory documents this Reflected XSS vulnerability specifically in WP Bulletin Board version 1.1.4 and provides further details on the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2986
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codebycarter WP Bulletin Board wp-bulletin-board allows Reflected XSS.This issue affects WP Bulletin Board: from n/a through <= 1.1.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web application via crafted malicious links requiring user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the improper neutralization vulnerability by identifying, reporting, and correcting the specific XSS flaw in the WP Bulletin Board plugin.
Information output filtering prevents reflected XSS by encoding or sanitizing user inputs before rendering them in web pages, neutralizing malicious scripts.
Information input validation rejects or sanitizes malicious inputs before processing, blocking XSS payloads from being reflected in the WordPress plugin's web page generation.