CVE-2025-24599
Published: 04 February 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-24599 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Tribulant Software Newsletters newsletters-lite WordPress plugin. This issue affects all versions of the plugin from n/a through 4.9.9.6, as published on 2025-02-04.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no required privileges, but necessitating user interaction such as clicking a malicious link. Remote attackers can deliver payloads reflected in web pages, potentially leading to limited impacts on confidentiality, integrity, and availability within a changed scope, such as session hijacking or data theft for interacting users.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-9-9-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables client-side JS execution in browser via crafted malicious link requiring user click, directly matching exploitation for client execution and user execution via malicious link.