Platform
wordpress
Component
evergreen-post-tweeter
Fixed in
1.8.10
CVE-2025-67622 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS in the Evergreen Post Tweeter plugin. This allows attackers to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. The vulnerability affects versions from 0 up to and including 1.8.9. A patch is expected to be released by the vendor.
Successful exploitation of CVE-2025-67622 allows an attacker to inject arbitrary JavaScript code into the Evergreen Post Tweeter plugin. This code can then be executed in the context of any user visiting a vulnerable page, leading to a range of malicious activities. An attacker could steal user session cookies, redirect users to phishing sites, or deface the website. The impact is particularly severe for websites with sensitive user data or high traffic, as a single successful attack could compromise a large number of users. This vulnerability shares similarities with other XSS vulnerabilities where user input is not properly sanitized before being displayed.
CVE-2025-67622 was publicly disclosed on 2025-12-24. The vulnerability's severity is rated as HIGH (CVSS 7.1). No public proof-of-concept (POC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog. Active exploitation is not yet confirmed, but the public disclosure increases the risk of exploitation.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67622 is to upgrade to a patched version of the Evergreen Post Tweeter plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting access to the affected functionality or implementing strict input validation on user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Monitor website logs for suspicious activity, particularly unusual JavaScript execution patterns.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67622 is a Cross-Site Scripting (XSS) vulnerability in the Evergreen Post Tweeter WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Evergreen Post Tweeter versions 0 through 1.8.9. Upgrade as soon as a patch is available.
Upgrade to the latest version of the Evergreen Post Tweeter plugin once a patch is released by the vendor. Until then, consider temporary workarounds like input validation.
Active exploitation is not yet confirmed, but the public disclosure increases the risk. Monitor your website for suspicious activity.
Check the Evergreen Post Tweeter plugin's official website or WordPress plugin repository for updates and security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.