CVE-2025-24620
Published: 03 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-24620 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, affecting the AIO Shortcodes WordPress plugin developed by hkharpreetkumar1 under the identifier aio-shortcodes. The issue impacts all versions from n/a through 1.3 inclusive, allowing malicious input to be stored and rendered without proper neutralization during web page generation.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no privileges required, but needing user interaction, and resulting in changed scope with low impacts to confidentiality, integrity, and availability. Any unauthenticated attacker can submit crafted input through plugin functionality, storing malicious scripts that execute in the browser context of authenticated users or administrators viewing affected pages, potentially leading to session hijacking, phishing, or further site compromise.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/aio-shortcodes/vulnerability/wordpress-aio-shortcodes-plugin-1-3-stored-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Stored XSS vulnerability specifically in AIO Shortcodes version 1.3 and provides details relevant to mitigation for WordPress site operators.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting web app for initial access) and facilitates T1185 (browser session hijacking via injected scripts).