CVE-2025-24576
Published: 03 February 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-24576 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Landing Page Cat WordPress plugin by fatcatapps. The issue affects all versions of the plugin from n/a through 1.7.7 and was published on 2025-02-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low complexity, no privileges required, but user interaction needed, and changed scope. Remote unauthenticated attackers can exploit it by injecting malicious payloads into reflected inputs on affected web pages, such as via crafted URLs, tricking victims into interacting (e.g., visiting a malicious link). This enables script execution in the victim's browser, with low impacts on confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/landing-page-cat/vulnerability/wordpress-landing-page-cat-plugin-1-7-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability directly enables injection and execution of malicious scripts in the victim's browser via crafted URLs, mapping to exploitation for client execution.