CVE-2025-24758
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-24758 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the CM Map Locations WordPress plugin (cm-map-locations) developed by CreativeMindsSolutions. This issue affects all versions of the plugin from n/a through 2.0.8 inclusive. The vulnerability was published on 2025-03-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited by remote attackers with no privileges required, low attack complexity, and network access, though it necessitates user interaction, such as visiting a maliciously crafted webpage or clicking a link. Exploitation enables script injection in the victim's browser context within the affected site, potentially allowing theft of session cookies, deflection to malicious sites, or minor disruptions, with impacts rated low on confidentiality, integrity, and availability but elevated due to scope change.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cm-map-locations/vulnerability/wordpress-cm-map-locations-plugin-2-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which covers the Reflected XSS in the WordPress CM Map Locations plugin up to version 2.0.8.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation via crafted malicious links (T1204.001) for client-side script execution, directly facilitating session cookie theft (T1539) and fitting public-facing application exploitation (T1190).