CVE-2025-32922: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Tobias WP2LEADS plugin, affecting versions through 3.5.0. The vulnerability was discovered on April 19, 2025, and was publicly disclosed on May 15, 2025. This security issue allows for Stored XSS attacks through CSRF vulnerabilities (Patchstack, Wiz).

The vulnerability has been assigned CVE-2025-32922 and received a CVSS v3.1 base score of 7.1 (High). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring No privileges (PR:N) but needs User interaction (UI:R). The scope is Changed (S:C), with Low impact on Confidentiality, Integrity, and Availability (C:L/I:L/A:L) (AttackerKB).

The vulnerability can lead to stored Cross-Site Scripting attacks through CSRF exploitation, potentially allowing attackers to execute unwanted actions under the privileges of authenticated users. This could compromise the security of the WordPress installation and lead to unauthorized data access or modification (Patchstack).

Currently, no official fix is available for this vulnerability. The issue affects WP2LEADS plugin versions up to and including 3.5.0. Website administrators are advised to consider alternative plugins or implement additional security measures until a patch is released (Patchstack).