CVE-2025-22651: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress plugin Stylish Google Sheet Reader, tracked as CVE-2025-22651. The vulnerability affects versions up to 4.0 of the plugin and was discovered by security researcher Jorge Diaz (ddiax). The issue was publicly disclosed on February 3, 2025, and has been fixed in version 4.1 (WPScan, Patchstack).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's web page generation process. It has been assigned a CVSS score of 7.1 (High), indicating a significant security risk. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects and advertisements, as well as other HTML payloads into the affected website. These injected scripts would be executed when visitors access the compromised site (Patchstack).

Website administrators are advised to update the Stylish Google Sheet Reader plugin to version 4.1 or later, which contains the fix for this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).