The vulnerability CVE-2025-22826 affects the wpecommerce Sell Digital Downloads plugin (versions <= 2.2.7) and is classified as a stored cross-site scripting (XSS) issue. It results from improper input neutralization during web page generation, enabling attackers to inject malicious scripts that persist and execute in the context of users' browsers. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, required privileges and user interaction, and impacts on confidentiality, integrity, and availability at a low level. No patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation of this stored XSS vulnerability could allow an attacker to execute arbitrary scripts in the context of affected users, potentially leading to limited disclosure of information, modification of data, or disruption of service. The CVSS vector indicates that an attacker requires some privileges and user interaction to exploit this issue. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with input handling and consider applying any available workarounds or input sanitization measures. Monitor vendor channels for updates regarding patches or official mitigations.