CVE-2025-22345

Vulnerability

Overview CVE-2025-22345 is a reflected cross-site scripting (XSS) vulnerability in the TS Comfort DB WordPress plugin (versions up to and including 2.0.7). The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code into a response [1].

Exploitation

Details Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. The attacker does not need authentication, but the victim must perform an action (e.g., click a link) for the payload to execute. This makes the vulnerability suitable for mass exploitation campaigns targeting WordPress sites [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads. These scripts execute in the context of the victim's browser when they visit the affected site, potentially leading to data theft, session hijacking, or defacement [1].

Mitigation

The vendor has not yet released an official patch, but Patchstack has issued a mitigation rule to block attacks until an update is available. Users are advised to update the plugin as soon as a patched version is released or apply the mitigation rule provided by Patchstack [1].