CVE-2025-24694

CVE-2025-24694 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the CreativeMindsSolutions CM Pop-Up Banners WordPress plugin (cm-pop-up-banners). This issue affects all versions from n/a through 1.7.6.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by crafting payloads that reflect unsanitized input in the plugin's web page generation, executing arbitrary JavaScript in the victim's browser context with changed scope, potentially compromising low levels of confidentiality, integrity, and availability.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/cm-pop-up-banners/vulnerability/wordpress-cm-pop-up-banners-plugin-1-7-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, document the vulnerability and provide details on affected installations for mitigation guidance.