CVE-2025-22262: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in NotFound Bonjour Bar plugin version 1.0.0 and earlier. The vulnerability was identified on January 21, 2025, and assigned identifier CVE-2025-22262. The issue affects the Bonjour Bar WordPress plugin through version 1.0.0 (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It has been assigned a CVSS v3.1 Base Score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator privileges to exploit (Patchstack).

If exploited, this vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects versions 1.0.0 and earlier of the Bonjour Bar plugin (Patchstack).

The vulnerability was initially reported by security researcher Pham Van Tam on December 4, 2024. Patchstack issued an early warning to their customers on January 18, 2025, before publishing the vulnerability on January 20, 2025 (Patchstack).