CVE-2025-24563
Published: 31 January 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-24563 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the themeglow Cleanup – Directory Listing & Classifieds WordPress Plugin (cleanup-light). This issue affects the plugin from unknown initial versions (n/a) through version 1.0.4.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as visiting a malicious link. Remote attackers can exploit it to inject and execute arbitrary scripts in the victim's browser context due to the changed scope, resulting in low impacts to confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cleanup-light/vulnerability/wordpress-cleanup-directory-listing-classifieds-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables exploitation via crafted malicious links sent to victims, directly facilitating spearphishing links and user execution of malicious links to trigger script injection in the browser.