CVE-2025-24554
Published: 14 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24554 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the awcode-toolkit WordPress plugin from AWcode. It affects all versions from n/a through 1.0.14 inclusive. Published on 2025-02-14T13:15:48.113, the issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Upon successful exploitation, adversaries achieve reflected XSS execution in the victim's browser, resulting in low impacts to confidentiality, integrity, and availability, but with a changed scope that could enable actions like session hijacking or client-side script injection.
The primary advisory from Patchstack documents this reflected XSS vulnerability specifically in WordPress AWcode Toolkit plugin version 1.0.14, providing details via its vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/awcode-toolkit/vulnerability/wordpress-awcode-toolkit-plugin-1-0-14-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables remote exploitation of web application vulnerability with user interaction via crafted links.