CVE-2025-24541

CVE-2025-24541 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the dinamiko DK White Label WordPress plugin (dk-white-label). This issue impacts all versions from n/a through 1.0 inclusive, as published on 2025-02-03.

The vulnerability carries a CVSS v3.1 base score of 7.1 (High) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. Remote attackers require no privileges or authentication but need to trick a user—typically an authenticated WordPress user such as an administrator—into interacting with a maliciously crafted link or input reflected on a vulnerable page. Successful exploitation enables arbitrary script execution in the victim's browser context, potentially allowing theft of session data, defacement, or other low-impact actions on confidentiality, integrity, and availability, with scope changed to a child component.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/dk-white-label/vulnerability/wordpress-dk-white-label-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS in DK White Label plugin version 1.0 and serves as the primary reference for mitigation guidance. Practitioners should review it for recommended patches or workarounds, such as plugin updates if available.