CVE-2025-24629
Published: 03 February 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-24629 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin Import Excel to Gravity Forms (gf-excel-import) by wpgear. This issue affects the plugin from unknown initial versions through version 1.18 inclusive.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no privileges required, but user interaction needed. Remote attackers can craft malicious payloads that reflect user input without proper neutralization, tricking victims—such as site administrators or logged-in users—into accessing a malicious link or page, such as via phishing. Exploitation executes arbitrary JavaScript in the victim's browser context, enabling theft of session tokens or sensitive data, with changed scope potentially impacting the site's security.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/gf-excel-import/vulnerability/wordpress-import-excel-to-gravity-forms-plugin-1-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS in version 1.18, urging WordPress administrators to update the plugin or apply available mitigations to prevent exploitation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser (T1059.007) which directly facilitates stealing web session cookies (T1539) and browser session hijacking (T1185) as described in the CVE.