CVE-2025-22356

The Stencies plugin for WordPress, version 0.58 and earlier, contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. The issue stems from insufficient sanitization of input that is reflected back to the user without proper escaping, enabling an attacker to inject arbitrary HTML and JavaScript into the response page [1].

Successful exploitation requires a privileged user (e.g., an administrator) to be tricked into clicking a crafted link or visiting a malicious page. No authentication is needed for the attacker, but victim interaction is required [1]. The attack can be initiated remotely over HTTP, making it suitable for mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

If exploited, an attacker can inject malicious scripts that execute in the context of the victim's session. This could lead to redirection to malicious sites, injection of unwanted advertisements, or other HTML payloads that affect visitors of the compromised website [1]. The CVSS v3 base score is 7.1 (High), reflecting the potential for significant impact on confidentiality, integrity, and availability with moderate attack complexity [1].

A mitigation rule is available from Patchstack to block attacks until an official patch is released and applied. Users are advised to update the plugin or apply the mitigation as an immediate action [1].