CVE-2025-24534
Published: 31 January 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-24534 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the dinamiko DPortfolio WordPress plugin. This issue affects DPortfolio versions from n/a through 2.0 inclusive, as published on 2025-01-31.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed, with a scope change to confidential. Remote attackers can exploit it by crafting malicious links that reflect injected scripts into users' browsers upon interaction, potentially enabling session hijacking, phishing, or minor disruptions to confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/dportfolio/vulnerability/wordpress-dportfolio-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in the DPortfolio plugin version 2.0 and provides details on remediation for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS via crafted malicious links directly enables client-side code execution in browsers (T1203) and supports delivery through spearphishing links (T1566.002).