CVE-2025-22649: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in weDevs WP Project Manager plugin (wedevs-project-manager) affecting versions through 2.6.22. The vulnerability was publicly disclosed on February 3, 2025, and was assigned CVE-2025-22649. This security issue specifically impacts WordPress installations with the WP Project Manager plugin, particularly affecting multi-site installations and systems where unfiltered_html has been disabled (WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality (Patchstack).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the injected page. The impact is particularly significant for multi-site installations and installations where unfiltered_html has been disabled (WPScan).

As of the latest reports, there is no known official fix available for this vulnerability. The issue affects versions up to 2.6.22, and users are advised to monitor for updates from the plugin developer (WPScan).