CVE-2025-24557

**CVE-2025-24557** is an **Improper Neutralization of Input During Web Page Generation** vulnerability, classified as **Reflected Cross-site Scripting (XSS)** under **CWE-79**. It affects the **PlainInventory z-inventory-manager plugin for WordPress**, specifically all versions from **n/a through <= 3.1.5**. Published on **2025-02-03**, it has a **CVSS v3.1 score of 7.1** (**AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L**), indicating **high severity** due to its network accessibility, low complexity, no required privileges, user interaction dependency, and cross-origin scope with low impacts across confidentiality, integrity, and availability.

**Attackers** can exploit this remotely **without authentication** by crafting malicious inputs (e.g., via URLs or forms) that reflect executable scripts back to users interacting with the plugin's web pages. **Victims** (e.g., site admins or logged-in users) clicking links or visiting pages trigger script execution in their browser context, enabling **cookie/session theft**, **keylogging**, **phishing**, or **account hijacking**. With **cross-origin privileges (S:C)**, attackers could pivot to deface sites, redirect users, or chain attacks if victims hold elevated roles.

Per the **Patchstack advisory** (https://patchstack.com/database/Wordpress/Plugin/z-inventory-manager/vulnerability/wordpress-plaininventory-plugin-3-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve), **mitigate by updating** to a patched version (if available), **disabling the plugin**, enabling **Content Security Policy (CSP)** headers, input validation, and monitoring for anomalous requests. No other advisories provided.

No data on real-world exploitation or AI/ML ties.