Alert Box Block – Display notice/alerts in the front end < 1.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-22675 | Plugin Vulnerabilities

Description

The Alert Box Block – Display notice/alerts in the front end plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

alert-box-block

Fixed in 1.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/db4c9d47-fb54-4f8c-bb82-c72be743458f

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pham Van Tam

Verified

No

WPVDB ID

ad32d1ab-2bab-45c7-a343-0b753fcbd79a

Timeline

Publicly Published

2025-02-03 (about 1 year ago)

Added

2025-02-12 (about 1 year ago)

Last Updated

2025-02-12 (about 1 year ago)

Other

Published

Title

Published

2024-05-07

Title

HT Mega – Absolute Addons For Elementor < 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip & Popover Widget

Published

2024-04-30

Title

EventON < 2.2.15 - Admin+ Stored XSS

Published

2020-12-14

Title

Limit Login Attempts Reloaded < 2.16.0 - Authenticated Reflected Cross-Site Scripting

Published

2024-07-11

Title

Change From Email <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-09-30

Title

Zotpress < 7.3.11 - Authenticated (Contributor+) Stored Cross-Site Scripting