CVE-2025-24718
Published: 31 January 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-24718 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Sessions Time Monitoring Full Automatic plugin (activitytime) for WordPress websites. The issue affects all versions of the plugin from n/a through 1.1.1 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, user interaction needed, and changed scope with low impacts on confidentiality, integrity, and availability. An unauthenticated attacker can exploit it by crafting a malicious input that reflects unsanitized on a vulnerable site, tricking a user (such as an administrator) into interacting with it via a phishing link or similar vector, thereby executing arbitrary JavaScript in the victim's browser session.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/activitytime/vulnerability/wordpress-wp-sessions-time-monitoring-full-automatic-plugin-1-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this Reflected XSS vulnerability in WP Sessions Time Monitoring Full Automatic plugin version 1.1.1. Security practitioners should consult the advisory for recommended mitigation steps.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of the web app via crafted URLs; description explicitly notes delivery through phishing links to execute arbitrary JS in victim browser.