CVE-2025-22748: 
WordPress vulnerability analysis and mitigation

The SetMore Theme – Custom Post Types WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-22748) affecting versions up to and including 1.1. The vulnerability was discovered and reported by researcher SOPROBRO and was publicly disclosed on January 14, 2025 (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue, with a CVSS v3.1 base score of 6.5 (Medium). The vulnerability allows authenticated users with contributor-level access and above to inject arbitrary web scripts into pages due to insufficient input sanitization and output escaping (Patchstack).

When exploited, this vulnerability allows malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed whenever users visit the affected pages (Patchstack).

No official fix is currently available for this vulnerability. The recommended mitigation is to remove and replace the software with an alternative solution, as the plugin is considered abandoned and unlikely to receive further updates or security fixes (Patchstack).