CVE-2025-22313

Vulnerability

Overview

The Widgetize Pages Light plugin for WordPress versions 3.0 and below contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into the application's response.

Exploitation

Details

To exploit this vulnerability, an attacker must craft a malicious link or form that, when clicked by a privileged user (such as an administrator), triggers the injection [1]. The attack does not require authentication from the attacker but relies on the victim performing an action like clicking a link or submitting a form. This makes it suitable for mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies, or performing other actions that compromise the site's integrity and user trust [1].

Mitigation

As of the publication date, no official patch has been released. Users are advised to update the plugin to a patched version if available, or apply a virtual patch from security providers like Patchstack to block exploitation attempts until an official fix can be deployed [1].