CVE-2025-22804 identifies a stored Cross-site Scripting (XSS) vulnerability in the Paul Bearne Author Avatars List/Block plugin, which is used in web content management environments to display or block author avatars. The vulnerability stems from improper input sanitization during the generation of web pages, allowing malicious actors to inject and store arbitrary JavaScript code within the plugin's data fields. When other users or administrators access affected pages, the malicious script executes in their browsers under the context of the vulnerable site. This stored XSS can be exploited to steal cookies, hijack user sessions, perform actions on behalf of users, or deliver further malware payloads. The affected versions include all releases up to and including 2.1.23. The vulnerability does not require authentication to exploit, nor does it require user interaction beyond visiting a compromised page, increasing its risk profile. As of the publication date, no CVSS score has been assigned, no patches have been officially released, and no active exploitation has been reported. The vulnerability was reserved and published in early January 2025 by Patchstack, a known security entity specializing in WordPress plugin vulnerabilities. The lack of a CVSS score suggests the need for organizations to proactively assess and mitigate the risk. Stored XSS vulnerabilities are particularly dangerous because they persist on the server and affect all users who view the compromised content, amplifying the potential impact.

The impact of CVE-2025-22804 on organizations worldwide can be significant. Stored XSS vulnerabilities enable attackers to execute arbitrary scripts in the browsers of users visiting the affected site, which can lead to credential theft, session hijacking, unauthorized actions, and distribution of malware. For organizations relying on the Paul Bearne Author Avatars List/Block plugin, this could compromise the integrity and confidentiality of user data and damage the organization's reputation. Attackers could leverage this vulnerability to gain further footholds within the network or pivot to more severe attacks. The availability of the site could also be indirectly affected if attackers deface the site or cause disruptions through malicious scripts. Since the vulnerability does not require authentication, it can be exploited by remote attackers without prior access, increasing the attack surface. The absence of known exploits in the wild currently provides a window for remediation, but the risk remains high due to the ease of exploitation and the widespread use of WordPress plugins in publishing and blogging platforms.

To mitigate CVE-2025-22804, organizations should take the following specific actions: 1) Immediately audit the use of the Paul Bearne Author Avatars List/Block plugin and identify all instances and versions deployed. 2) Monitor official vendor channels and trusted security advisories for the release of patches or updates addressing this vulnerability and apply them promptly. 3) In the absence of an official patch, consider temporarily disabling or removing the plugin to eliminate the attack vector. 4) Implement Web Application Firewall (WAF) rules that detect and block suspicious input patterns associated with XSS payloads targeting the plugin's input fields. 5) Conduct thorough input validation and output encoding on all user-supplied data within the web application, especially in custom code interfacing with the plugin. 6) Educate site administrators and users about the risks of XSS and encourage vigilance for unusual site behavior or unexpected content. 7) Regularly scan the website for malicious scripts or injected content using automated security tools. 8) Review and harden Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. These measures, combined, will reduce the risk of exploitation until a vendor patch is available and applied.