WordPress Plugin Vulnerabilities

Dynamic Conditions < 1.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Dynamic Conditions plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
dynamicconditions
Fixed in 1.7.5

References

CVE
CVE-2025-22642
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f098e597-6938-48c8-948c-94cb475b8f6c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Michael
Verified
No
WPVDB ID
67cfe38d-ee2f-4268-855e-6cca429e549f

Timeline

Publicly Published
2025-02-03 (about 1 year ago)
Added
2025-02-12 (about 1 year ago)
Last Updated
2025-12-03 (about 5 months ago)

Other

Published
Title
Published
2025-02-28
Title
Currency Switcher for WooCommerce < 2.16.3 - Reflected Cross-Site Scripting
Published
2022-11-03
Title
Image Hover Effects Css3 <= 4.5 - Admin+ Stored XSS
Published
2025-10-17
Title
WPBakery Page Builder < 8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-03-21
Title
Userlike – WordPress Live Chat < 2.3 - Admin+ Stored Cross-Site Scripting
Published
2025-07-21
Title
Shortcodes Ultimate < 7.4.3 - Author+ Stored XSS via Image Title and Slide Link