CVE-2025-22791

The WordPress theme 'offset writing' versions from n/a through 1.2 contain a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript into the response, which is then executed in the victim's browser.

Exploitation requires user interaction, such as clicking a specially crafted link or visiting a malicious page [1]. While the attacker does not need authentication, the vulnerable aspect may require a privileged user to perform an action, making the attack chain dependent on tricking a user with appropriate access [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously.

Successful exploitation enables an attacker to execute malicious scripts that can perform redirects, display advertisements, or inject other HTML payloads. These scripts run in the context of the affected site, potentially leading to data theft, session hijacking, or defacement [1].

As of the publication date, an official patch may not be available. Users are advised to update the theme to a patched version if available, or implement a web application firewall rule to block attacks. Patchstack has provided a mitigation rule to protect against exploitation until an official fix is applied [1].