CVE-2025-24614
Published: 14 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-24614 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (CWE-79), in the Agile Logix Post Timeline WordPress plugin. This issue affects Post Timeline versions from n/a through 2.3.9.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). A remote, unauthenticated attacker can exploit it over the network with low attack complexity, though it requires user interaction such as visiting a malicious link. Exploitation enables reflected XSS, allowing limited impacts on confidentiality, integrity, and availability across a changed scope.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/post-timeline/vulnerability/wordpress-post-timeline-plugin-2-3-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS vulnerability in the WordPress Post Timeline plugin up to version 2.3.9, with mitigation guidance available there.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing apps via malicious link) and T1059.007 (arbitrary JavaScript execution in browser context).