CVE-2025-22801: 
WordPress vulnerability analysis and mitigation

The Free WooCommerce Theme 99fy Extension plugin contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-22801. The vulnerability affects versions up to and including 1.2.8 of the plugin, with the issue being patched in version 1.2.9. The vulnerability was discovered by researcher João Pedro Soares de Alcântara and was publicly disclosed on January 7, 2025 (Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue that falls under the OWASP Top 10 category A3: Injection. It has been assigned a CVSS score of 6.5, indicating a low to moderate severity level. The vulnerability requires contributor-level privileges to exploit (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when guests visit the affected site (Patchstack).

The recommended mitigation is to update the Free WooCommerce Theme 99fy Extension plugin to version 1.2.9 or later, which contains the fix for this vulnerability. Users of Patchstack can enable auto-update functionality for vulnerable plugins to ensure timely updates (Patchstack).