CVE-2025-24626

High

Published: 27 January 2025

Published

27 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0015 35.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-24626 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Music Store WordPress plugin by codepeople, with all versions from n/a through 1.1.19 vulnerable.

The vulnerability can be exploited by remote attackers requiring no privileges, accessible over the network with low attack complexity but needing user interaction, such as following a malicious link. Per its CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), successful exploitation changes scope and results in low impacts to confidentiality, integrity, and availability, allowing injected scripts to execute in the victim's browser context.

Patchstack's advisory on the referenced URL documents the Reflected XSS vulnerability in the WordPress Music Store eCommerce plugin version 1.1.19.

Details

CWE(s): CWE-79

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Reflected XSS vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications via crafted malicious links.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Plugin/music-store/vulnerability/wordpress-music-store-wordpress-ecommerce-plugin-1-1-19-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com