CVE-2025-24535
Published: 31 January 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-24535 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the SKT Donation WordPress plugin developed by sonalsinha21 (skt-donation). This issue affects all versions of the plugin from n/a through 1.9 inclusive. The vulnerability was published on 2025-01-31.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Unauthenticated attackers can exploit it by crafting inputs that reflect executable scripts back to victims' browsers with changed scope, potentially achieving low impacts to confidentiality, integrity, and availability, such as session hijacking or data theft in the victim's context.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/skt-donation/vulnerability/wordpress-skt-donation-plugin-1-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS in SKT Donation version 1.9 for WordPress, providing vulnerability specifics for security practitioners to assess and mitigate affected installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser (T1059.007), typically via crafted malicious links in phishing campaigns (T1566.002), facilitating impacts like session hijacking (T1185).