CVE-2025-22521

Vulnerability

Overview The wp Hosting Performance Check plugin for WordPress (versions ≤2.18.8) contains a reflected cross-site scripting (XSS) vulnerability caused by improper neutralization of input during web page generation [1]. This means the plugin fails to sanitize or escape user-supplied data before including it in output, allowing an attacker to inject arbitrary HTML or JavaScript code.

Exploitation

Conditions Exploitation requires user interaction — a privileged user must click a malicious link, visit a crafted page, or submit a specially made form [1]. The attacker does not need authentication but depends on tricking an authenticated administrator or editor into performing an action. The vulnerability is reflected (non-persistent), so the payload is delivered via a crafted URL and executed in the victim's browser context.

Impact

If successfully exploited, an attacker can inject malicious scripts that run when visitors access the affected site. This can be used to perform redirects, display advertisements, steal session cookies, or deface the site [1]. The CVSS v3 score of 7.1 (High) reflects the moderate complexity but potential for widespread automated campaigns.

Mitigation

Status As of the publication date, no official patch is confirmed and the plugin version 2.18.8 is affected [1]. Administrators should immediately update the plugin when a fix becomes available. A mitigation rule from Patchstack is available to block attacks until an official patch can be tested and applied [1].