CVE-2025-22765: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress WP Order By Plugin versions 1.4.2 and below, identified as CVE-2025-22765. The vulnerability was discovered by Le Ngoc Anh and publicly disclosed on January 14, 2025 (Patchstack, Wordfence).

The vulnerability has been assigned a CVSS score of 7.1 (Medium severity) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (Wordfence).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

No official fix is currently available for this vulnerability. The recommended mitigation steps include either removing and replacing the software or implementing virtual patching through security solutions. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).