CVE-2025-22791: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the WordPress Offset Writing theme affecting versions up to and including 1.2. The vulnerability was discovered and reported on January 13, 2025, and was assigned the identifier CVE-2025-22791. This security flaw requires no authentication to exploit, making it a significant security concern (Patchstack, Wiz).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) with a CVSS v3.1 score of 7.1 (HIGH). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no privileges required, and user interaction required. The vulnerability falls under the OWASP Top 10 category A3: Injection (NVD, Patchstack).

When exploited, this vulnerability enables malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts execute when visitors access the compromised site, potentially compromising user experience and security (Wiz, Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks. Website administrators are strongly advised to implement this mitigation immediately to protect their sites until an official fix becomes available (Patchstack).