CVE-2025-24549
Published: 31 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24549 is a Cross-Site Request Forgery (CSRF) vulnerability in the Post Meta WordPress plugin developed by Mahbubur Rahman. The flaw allows for Reflected Cross-Site Scripting (XSS) and affects all versions of the plugin from n/a through 1.0.9. It is associated with CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Remote attackers without privileges can exploit this vulnerability by tricking authenticated users into performing actions via a malicious website, such as submitting a forged request that triggers reflected XSS. Successful exploitation requires user interaction and results in low impacts to confidentiality, integrity, and availability within a changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/post-meta/vulnerability/wordpress-post-meta-plugin-1-0-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this reflected XSS issue in the Post Meta plugin version 1.0.9. Security practitioners should review this reference for guidance on available patches or mitigation measures.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing WordPress plugin that enables reflected XSS, directly mapping to exploitation of a public-facing application for initial access or client-side impact.