CVE-2025-24598
Published: 04 February 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-24598 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Mailster WordPress plugin by brandtoss. This issue affects WP Mailster versions from n/a through 1.8.17.0.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), requiring user interaction such as clicking a malicious link (UI:R). Exploitation results in a changed scope (S:C), enabling limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 score of 7.1.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-mailster/vulnerability/wordpress-wp-mailster-plugin-1-8-17-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. The CVE was published on 2025-02-04T15:15:23.027.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables drive-by compromise via crafted URLs (T1189) typically delivered through spearphishing links (T1566.002) requiring user interaction.