CVE-2025-22550: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in AddFunc Mobile Detect WordPress plugin versions through 3.1. The vulnerability was identified on January 7, 2025, and was assigned CVE-2025-22550. This security flaw affects the AddFunc Mobile Detect plugin and allows for Stored XSS attacks when a user has Contributor or higher privileges (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The security issue is classified under CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability could allow a malicious actor with Contributor or higher privileges to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

As of the vulnerability disclosure, no official fix is available for this security issue. Given the low severity impact, virtual patching has been deemed unnecessary (Patchstack).

The vulnerability was initially reported by security researcher SOPROBRO on December 17, 2024, and was subsequently published by Patchstack on January 7, 2025. Early warning notifications were sent to Patchstack customers on January 7, 2025 (Patchstack).