CVE-2025-24544
Published: 03 February 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-24544 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) and classified under CWE-79. It affects the Bitcoin and Altcoin Wallets plugin from dashed-slug.net, impacting all versions from n/a through 6.3.1. The vulnerability was published on 2025-02-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated attacker with network access can exploit this issue through low-complexity attacks requiring user interaction, such as tricking a site visitor or administrator into following a malicious link or interacting with a crafted request. Successful exploitation results in reflected XSS, allowing script execution in the victim's browser context, with low impacts on confidentiality, integrity, and availability but elevated scope due to cross-origin effects.
The Patchstack advisory documents this reflected XSS vulnerability specifically in the WordPress Bitcoin and Altcoin Wallets plugin version 6.3.1, available at https://patchstack.com/database/Wordpress/Plugin/wallets/vulnerability/wordpress-bitcoin-and-altcoin-wallets-plugin-6-3-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should review this reference for additional details on affected installations and recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web application via crafted malicious links requiring user interaction to trigger script execution in the browser.