CVE-2025-22780 identifies a stored Cross-site Scripting (XSS) vulnerability in the WordPress plugin wp-pano, developed by Andrey. This vulnerability is caused by improper neutralization of input during the generation of web pages, allowing attackers to inject malicious scripts that are stored persistently on the affected website. The vulnerability affects all versions up to and including 1.17. Stored XSS vulnerabilities are particularly dangerous because the malicious payload is saved on the server and served to all users who access the compromised page, potentially leading to widespread impact. Exploiting this vulnerability does not require authentication or user interaction beyond visiting the infected page, making it easier for attackers to leverage. The wp-pano plugin is used to embed panoramic images in WordPress sites, which means the attack surface includes any site using this plugin for interactive media content. Although no public exploits have been reported yet, the nature of stored XSS means attackers could steal session cookies, deface websites, or deliver malware to visitors. The absence of a CVSS score indicates the need for an expert severity assessment, which here is rated high due to the potential impact on confidentiality, integrity, and availability of affected sites. The vulnerability was published on January 15, 2025, and no official patches or fixes have been linked yet, emphasizing the importance of proactive mitigation.

The impact of CVE-2025-22780 is significant for organizations running WordPress sites with the wp-pano plugin installed. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the affected website, leading to session hijacking, theft of sensitive user data, unauthorized actions on behalf of users, website defacement, and distribution of malware. This can erode user trust, damage brand reputation, and potentially lead to regulatory penalties if user data is compromised. Since the vulnerability is stored XSS, the malicious payload persists and affects all visitors to the compromised page, amplifying the potential damage. E-commerce sites, government portals, and any organizations relying on WordPress for public-facing content are particularly at risk. The ease of exploitation without authentication increases the likelihood of attacks, especially if attackers scan for vulnerable wp-pano instances. The lack of a current patch means organizations must act quickly to mitigate risk. Overall, the threat could disrupt business operations, cause data breaches, and facilitate further attacks such as phishing or malware distribution.

To mitigate CVE-2025-22780, organizations should first monitor official channels for patches or updates from the wp-pano plugin developer and apply them promptly once available. Until a patch is released, administrators should consider disabling or uninstalling the wp-pano plugin to eliminate exposure. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads can provide interim protection. Additionally, site owners should enforce strict input validation and output encoding on all user-supplied data, especially in areas where the plugin accepts input for panoramic images or related metadata. Conducting regular security audits and scanning WordPress sites for XSS vulnerabilities can help identify affected instances. Educating site administrators about the risks of installing unvetted plugins and maintaining minimal plugin usage reduces attack surface. Finally, ensuring that WordPress core and all plugins are kept up to date is critical to prevent exploitation of known vulnerabilities.