CVE-2025-24646
Published: 03 February 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-24646 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the XML for Avito WordPress plugin developed by icopydoc. The issue affects all versions of the plugin from n/a through 2.5.2.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but reliant on user interaction such as clicking a malicious link. Any unauthenticated remote attacker can leverage this to inject and execute arbitrary scripts in a victim's browser context, potentially leading to limited impacts on confidentiality, integrity, and availability with a changed scope.
Patchstack has documented this Reflected XSS vulnerability in the WordPress XML for Avito plugin version 2.5.2, as detailed in their advisory at https://patchstack.com/database/Wordpress/Plugin/xml-for-avito/vulnerability/wordpress-xml-for-avito-plugin-2-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should refer to this resource for specific mitigation recommendations, such as updating to a non-vulnerable version.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary script execution in the victim's browser (T1203 Exploitation for Client Execution) and requires a crafted malicious link that the user must click (T1204.001 Malicious Link).