CVE-2025-22622

Vulnerability

Overview

CVE-2025-22622 is a reflected cross-site scripting (XSS) vulnerability in the Age Verification for your checkout page plugin (version 1.20.0) for WordPress. The flaw resides in the file myapp/class-wc-integration-agechecker-integration.php, where the plugin dynamically generates web content without properly validating the source of potentially untrusted data [1][2]. This lack of input sanitization allows an attacker to inject arbitrary JavaScript or HTML into the generated page.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a script payload. If a victim clicks on such a link, the injected script will be executed in the context of the victim's browser session on the affected WordPress site. No authentication is required to trigger the vulnerability, but user interaction is necessary (e.g., clicking a link) [2].

Impact

Successful exploitation enables an attacker to perform actions on behalf of the victim, such as stealing session cookies, redirecting to malicious sites, or defacing the page. This could lead to account compromise or further attacks against the site's users.

Mitigation

The vulnerability has been patched in version 1.20.1 of the plugin. Users are strongly advised to update to the latest version immediately [2]. No workarounds have been provided.