CVE-2025-24656
Published: 03 February 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-24656 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Realtyna Provisioning WordPress plugin (realtyna-provisioning). This issue affects all versions from n/a through 1.2.2, as disclosed on 2025-02-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation over the network with low attack complexity, no required privileges, and user interaction. Remote attackers can exploit it by crafting malicious inputs reflected in web pages, tricking authenticated users (such as site visitors or administrators) into triggering the XSS via links or inputs, achieving low impacts on confidentiality, integrity, and availability within a changed scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/realtyna-provisioning/vulnerability/wordpress-realtyna-provisioning-plugin-1-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin allows exploitation via crafted malicious links sent to users (T1566.002), enabling drive-by compromise (T1189) and initial access through public-facing application exploitation (T1190).