CVE-2025-24551
Published: 31 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-24551 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Radio Buttons and Swatches for WooCommerce plugin (variations-radio-buttons-for-woocommerce) from oneteamsoftware, impacting all versions from n/a through 1.1.20. This WordPress plugin is vulnerable to reflected XSS due to inadequate input sanitization during web page generation.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as visiting a malicious link. Remote attackers can exploit it by crafting URLs with malicious payloads that reflect and execute in the victim's browser context upon interaction, achieving low impacts on confidentiality, integrity, and availability but with changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/variations-radio-buttons-for-woocommerce/vulnerability/wordpress-radio-buttons-and-swatches-for-woocommerce-plugin-1-1-20-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS issue in plugin version 1.1.20 and provides details for practitioners on addressing the vulnerability.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a reflected XSS vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications (T1190) via crafted malicious URLs and allowing arbitrary JavaScript execution in the victim's browser (T1059.007).