CVE-2025-24536

CVE-2025-24536 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the ThriveDesk WordPress plugin in all versions from n/a through 2.0.6.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no privileges required, but user interaction is necessary. Remote attackers can craft malicious payloads delivered via reflected inputs, tricking users into interacting (e.g., via phishing links), to execute scripts in the victim's browser context with changed scope, achieving low impacts on confidentiality, integrity, and availability.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/thrivedesk/vulnerability/wordpress-thrivedesk-plugin-2-0-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS issue in ThriveDesk plugin version 2.0.6 for WordPress, providing details for security practitioners to assess and address exposure in affected installations.