CVE-2025-24615
Published: 14 February 2025
Description
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.
Security Summary
CVE-2025-24615 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Analytics Cat WordPress plugin by fatcatapps. This issue affects all versions of the analytics-cat plugin from n/a through 1.1.2 inclusive. Published on 2025-02-14, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change.
Attackers can exploit this reflected XSS vulnerability remotely over the network with low attack complexity, requiring no privileges but relying on user interaction, such as a victim clicking a malicious link or visiting a crafted page. Exploitation enables injection of arbitrary scripts into dynamically generated web pages, potentially allowing attackers to steal authentication credentials, session tokens, or perform other client-side actions in the context of the affected site, with low impacts on confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/analytics-cat/vulnerability/wordpress-analytics-cat-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this vulnerability in the WordPress Analytics Cat plugin version 1.1.2. Mitigation involves updating to a version beyond 1.1.2, where available, alongside standard practices like input validation, output encoding, and Content Security Policy implementation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing app via malicious link), T1185 (browser session hijacking to steal tokens), and T1056.003 (web portal capture for credentials).