CVE-2025-32922 describes a CSRF vulnerability in the WP2LEADS plugin (versions ≤ 3.5.0) that enables stored XSS attacks. An attacker can trick an authenticated user into submitting a request that causes malicious scripts to be stored and later executed in the context of the victim's browser. The vulnerability is remotely exploitable without privileges but requires user interaction. The CVSS 3.1 vector indicates low attack complexity, no privileges required, and user interaction needed, with impacts on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of affected users. This can result in data theft, session hijacking, or other malicious actions compromising confidentiality, integrity, and availability of the affected system. The vulnerability is exploitable remotely over the network and requires user interaction.

No patch or official fix information is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, users should consider disabling or removing the WP2LEADS plugin if feasible, or apply any recommended temporary mitigations from the vendor once available.