CVE-2025-22267 is a stored cross-site scripting (XSS) vulnerability found in the Weaver Themes Shortcode Compatibility plugin for WordPress, specifically affecting versions up to 1.0.4. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious actors to inject and store arbitrary JavaScript code within the website's content. When other users or administrators visit the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. Stored XSS is particularly dangerous because the payload persists on the server and can affect multiple users over time. The plugin is designed to provide shortcode compatibility for Weaver Themes, a popular WordPress theme, which means it is likely deployed on many WordPress sites. No CVSS score has been assigned yet, and no public exploits have been reported, but the vulnerability is publicly disclosed and should be treated as a serious risk. The lack of authentication requirements and user interaction beyond page visit makes exploitation straightforward for attackers. The vulnerability was reserved and published in early 2025, indicating recent discovery and disclosure. The absence of patch links suggests that a fix may not yet be available, underscoring the urgency for mitigation.

The impact of CVE-2025-22267 can be severe for organizations running WordPress sites with the Weaver Themes Shortcode Compatibility plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to theft of sensitive information such as cookies, session tokens, or credentials. This can facilitate account takeover, unauthorized access to administrative functions, and further compromise of the website. Additionally, attackers can deface websites, inject phishing content, or distribute malware, damaging organizational reputation and user trust. The persistence of stored XSS increases the attack surface and duration of exposure. For e-commerce, financial, or government sites, such compromises can lead to regulatory penalties and financial losses. The ease of exploitation without authentication or complex prerequisites means attackers can rapidly target vulnerable sites at scale. The absence of known exploits in the wild currently limits immediate widespread damage but does not reduce the potential risk. Organizations globally that rely on WordPress and this plugin are at risk of data breaches, service disruption, and reputational harm.

To mitigate CVE-2025-22267, organizations should first check for updates or patches from the Weaver Themes Shortcode Compatibility plugin vendor and apply them immediately once available. In the absence of an official patch, administrators should consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads can provide interim protection. Conduct thorough input validation and output encoding on all user-supplied data, especially in shortcode processing, to prevent injection of malicious scripts. Regularly audit and sanitize existing content to remove any stored malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor website logs and user reports for suspicious activity indicative of XSS exploitation. Educate site administrators and users about the risks of clicking on suspicious links or content. Finally, maintain regular backups of website data to enable recovery in case of compromise.