Plataforma
wordpress
Componente
evergreen-post-tweeter
Corregido en
1.8.10
CVE-2025-67622 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS in the Evergreen Post Tweeter plugin. This allows attackers to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. The vulnerability affects versions from 0 up to and including 1.8.9. A patch is expected to be released by the vendor.
Successful exploitation of CVE-2025-67622 allows an attacker to inject arbitrary JavaScript code into the Evergreen Post Tweeter plugin. This code can then be executed in the context of any user visiting a vulnerable page, leading to a range of malicious activities. An attacker could steal user session cookies, redirect users to phishing sites, or deface the website. The impact is particularly severe for websites with sensitive user data or high traffic, as a single successful attack could compromise a large number of users. This vulnerability shares similarities with other XSS vulnerabilities where user input is not properly sanitized before being displayed.
CVE-2025-67622 was publicly disclosed on 2025-12-24. The vulnerability's severity is rated as HIGH (CVSS 7.1). No public proof-of-concept (POC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog. Active exploitation is not yet confirmed, but the public disclosure increases the risk of exploitation.
Websites using the Evergreen Post Tweeter plugin, particularly those with user accounts or sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "evergreen-post-tweeter" /var/www/html/wp-content/plugins/
wp plugin list | grep evergreen-post-tweeter• generic web:
curl -I https://example.com/ | grep -i 'x-frame-options'disclosure
Estado del Exploit
EPSS
0.02% (6% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-67622 is to upgrade to a patched version of the Evergreen Post Tweeter plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting access to the affected functionality or implementing strict input validation on user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Monitor website logs for suspicious activity, particularly unusual JavaScript execution patterns.
No se conoce ninguna solución disponible. Revise a fondo los detalles de la vulnerabilidad y aplique mitigaciones en función de la tolerancia al riesgo de su organización. Es posible que sea mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-67622 is a Cross-Site Scripting (XSS) vulnerability in the Evergreen Post Tweeter WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Evergreen Post Tweeter versions 0 through 1.8.9. Upgrade as soon as a patch is available.
Upgrade to the latest version of the Evergreen Post Tweeter plugin once a patch is released by the vendor. Until then, consider temporary workarounds like input validation.
Active exploitation is not yet confirmed, but the public disclosure increases the risk. Monitor your website for suspicious activity.
Check the Evergreen Post Tweeter plugin's official website or WordPress plugin repository for updates and security advisories.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.