CVE-2025-24700
Published: 14 February 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-24700 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WP Event Aggregator WordPress plugin from Xylus Themes. This issue impacts all versions of the plugin from n/a through 1.8.2.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), meaning it is exploitable remotely over the network with low attack complexity, no required privileges, but necessitating user interaction such as clicking a malicious link. An unauthenticated attacker can craft a URL containing a malicious payload that the plugin reflects unsanitized into the web page, enabling arbitrary JavaScript execution in the context of the victim's browser and potentially leading to low-level impacts on confidentiality, integrity, and availability across a changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-event-aggregator/vulnerability/wordpress-wp-event-aggregator-plugin-1-8-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides further details on the vulnerability in WP Event Aggregator version 1.8.2.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin allows crafting malicious URLs for JS execution in victim's browser, mapping to exploitation of public-facing apps (T1190) and delivery via spearphishing links (T1566.002).