CVE-2025-2166: 
WordPress vulnerability analysis and mitigation

The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-2166) discovered on March 14, 2025. The vulnerability affects all versions up to and including 1.2.5 of the plugin and is caused by improper escaping of URLs when using the removequeryarg function (NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The impact is limited to low confidentiality and integrity breaches with no effect on availability (NVD).

Users should upgrade to version 1.2.6 or later of the CM FAQ plugin, which contains the security fix for this vulnerability (WordPress Plugin).