CVE-2025-24545
Published: 03 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-24545 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the BSK Forms Validation plugin (bsk-gravity-forms-custom-validation) for WordPress developed by bannersky. The issue affects all versions of the plugin from n/a through 1.7 inclusive. It was published on 2025-02-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but user interaction, such as clicking a malicious link. Exploitation changes the scope and enables arbitrary script execution in the context of the victim's browser on sites using the affected plugin, resulting in low impacts to confidentiality, integrity, and availability.
The Patchstack advisory details the vulnerability in the WordPress plugin database and recommends mitigation through updating to a version of BSK Forms Validation beyond 1.7, where the issue is addressed.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web application (T1190) for arbitrary JavaScript execution in the victim's browser (T1059.007).