CVE-2025-24680
Published: 27 January 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-24680 is an Improper Neutralization of Script-Related HTML Tags in a Web Page vulnerability, classified as Basic XSS and enabling Reflected XSS, in the WP Multistore Locator plugin (wp-multi-store-locator) from WPExperts.io. This issue affects the plugin from unknown initial versions through version 2.4.7 inclusive, as used in WordPress environments.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation over the network with low attack complexity, no required privileges, but needing user interaction such as clicking a malicious link. Any unauthenticated remote attacker can deliver crafted payloads via reflected inputs, achieving changed scope with low impacts on confidentiality, integrity, and availability—potentially allowing session token theft, phishing, or limited site defacement on behalf of the interacting user.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-multi-store-locator/vulnerability/wordpress-wp-multi-store-locator-plugin-2-4-7-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this WordPress plugin issue and highlights the need to address versions up to 2.4.7, with mitigation centered on updating the plugin to a non-vulnerable release.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables crafted malicious links for payload delivery (spearphishing) and direct exfiltration of session tokens via injected scripts.