CVE-2025-24708

CVE-2025-24708 is an Improper Neutralization of Input During Web Page Generation vulnerability, specifically a Reflected Cross-Site Scripting (XSS) issue classified under CWE-79. It affects the CRM Perks WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin (cf7-dynamics-crm), impacting all versions from n/a through 1.1.6. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts to confidentiality, integrity, and availability.

A remote attacker without privileges can exploit this reflected XSS by crafting malicious input, such as a specially prepared URL or form submission, that gets reflected back in the generated web page without sanitization. The attack requires a victim to interact with the malicious payload, typically by clicking a link or submitting a form on an affected WordPress site using the plugin. Successful exploitation executes arbitrary JavaScript in the victim's browser context, enabling potential theft of session data, cookie manipulation, or other client-side actions within the low-impact scope defined by the CVSS metrics.

The Patchstack advisory provides details on this vulnerability, including verification and exploitation information, accessible at https://patchstack.com/database/Wordpress/Plugin/cf7-dynamics-crm/vulnerability/wordpress-wp-dynamics-crm-plugin-1-1-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.