CVE-2025-50022: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the WP-FB-AutoConnect WordPress plugin, affecting versions through 4.6.3. The vulnerability was discovered by Nabil Irawan and was publicly disclosed on June 19, 2025. This security issue has been assigned the identifier CVE-2025-50022 (Wiz, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It has been assigned a CVSS v3.1 score of 5.9 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This scoring indicates that the vulnerability requires high privileges and user interaction to exploit, but can potentially affect resources beyond the security scope of the affected component (Patchstack).

The vulnerability allows attackers to inject malicious scripts that could be executed when users visit the affected website. This could potentially lead to the injection of advertisements, malicious redirects, and other HTML payloads that execute in visitors' browsers (Wiz, Patchstack).

As of the current date, no official fix has been released for this vulnerability. Users of the WP-FB-AutoConnect plugin are advised to implement general XSS protection measures and consider temporarily disabling the plugin until a patch becomes available (Wiz).