CVE-2025-24558
Published: 14 February 2025
Description
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.
Security Summary
CVE-2025-24558 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the CRM Perks support-x WordPress plugin. This issue affects all versions of the plugin from n/a through 1.1.5 inclusive. The vulnerability was published on 2025-02-14 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated attacker (PR:N) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) by tricking a user into performing an action such as clicking a malicious link or submitting crafted input on a vulnerable site (UI:R). Exploitation reflects unsanitized input into web pages, enabling arbitrary script execution in the victim's browser context within the site's scope (S:C). This can result in low impacts to confidentiality, integrity, and availability, such as session hijacking, data theft, or minor site defacement.
The Patchstack advisory provides details on this Reflected XSS vulnerability in the CRM Perks WordPress plugin up to version 1.1.5, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/support-x/vulnerability/wordpress-crm-perks-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary client-side script execution, directly facilitating browser session hijacking via cookie theft or similar (T1185) and minor site defacement by modifying page content (T1491.002).