CVE-2025-24592

CVE-2025-24592 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79 for improper neutralization of input during web page generation, affecting the SysBasics Customize My Account for WooCommerce WordPress plugin. The issue impacts all versions of the plugin up to and including 2.8.22. It carries a CVSS v3.1 base score of 7.1, rated High, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low complexity, no privileges required, user interaction needed, changed scope, and low impacts to confidentiality, integrity, and availability.

An attacker can exploit this vulnerability by crafting malicious input that is reflected unsanitized in the web page generated by the plugin, tricking a user into accessing a malicious link or submitting tainted input on a vulnerable WordPress site. No authentication is required, but user interaction is necessary, such as clicking a link in a phishing email or visiting a malicious site. Successful exploitation allows the attacker to execute arbitrary scripts in the victim's browser context, potentially stealing session cookies, defacing pages, or performing actions on behalf of the user within the site's scope.

Patchstack's advisory, referenced in the CVE details, documents the vulnerability in version 2.8.22 and recommends updating the Customize My Account for WooCommerce plugin to a patched version beyond 2.8.22 to mitigate the issue. Security practitioners should verify plugin updates via the official WordPress repository and apply them promptly on affected sites.