CVE-2025-24559
Published: 03 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-24559 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Mailster WordPress plugin developed by brandtoss (wp-mailster). This issue affects the plugin from unspecified initial versions through 1.8.15.0.
The vulnerability can be exploited by a remote attacker requiring no privileges (PR:N), over the network (AV:N) with low complexity (AC:L), though it demands user interaction (UI:R), such as clicking a malicious link. Successful exploitation changes scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.1. Attackers could inject and execute arbitrary scripts in victims' browsers.
Patchstack's advisory (https://patchstack.com/database/Wordpress/Plugin/wp-mailster/vulnerability/wordpress-wp-mailster-plugin-1-8-15-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS in WP Mailster 1.8.15.0 and covers mitigation details for affected WordPress installations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of web application and arbitrary JavaScript execution in victim's browser.