The WP-Asambleas plugin for WordPress, developed by platcom, contains a reflected cross-site scripting vulnerability identified as CVE-2025-22796. This vulnerability is due to improper neutralization of input during web page generation, which allows attackers to inject and execute arbitrary scripts in the context of a victim's browser session. The issue affects all versions up to 2.85.0. The CVSS v3.1 base score is 7.1, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No patch or vendor advisory information is currently available.

Successful exploitation of this reflected XSS vulnerability can lead to execution of arbitrary scripts in the victim's browser, potentially resulting in theft of user credentials, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability to a limited extent. The CVSS score of 7.1 reflects these impacts. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider applying web application firewall (WAF) rules to detect and block reflected XSS attempts and avoid clicking on suspicious links that may exploit this vulnerability. Monitor platcom's official channels for updates and patches.