CVE-2025-24535

High

Published: 31 January 2025

Published

31 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0013 32.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24535 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Enforces output filtering to neutralize untrusted input during web page generation, directly preventing reflected XSS script execution in victims' browsers.

SI-10 Information Input Validation good match

prevent

Implements input validation at entry points to reject or sanitize malicious payloads targeting the SKT Donation plugin's reflected XSS vulnerability.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like CVE-2025-24535 in the SKT Donation WordPress plugin to prevent exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Reflected XSS enables arbitrary JavaScript execution in the victim's browser (T1059.007), typically via crafted malicious links in phishing campaigns (T1566.002), facilitating impacts like session hijacking (T1185).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Donation skt-donation allows Reflected XSS.This issue affects SKT Donation: from n/a through <= 1.9.

Deeper analysisAI

CVE-2025-24535 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the SKT Donation WordPress plugin developed by sonalsinha21 (skt-donation). This issue affects all versions of the plugin from n/a through 1.9 inclusive. The vulnerability was published on 2025-01-31.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Unauthenticated attackers can exploit it by crafting inputs that reflect executable scripts back to victims' browsers with changed scope, potentially achieving low impacts to confidentiality, integrity, and availability, such as session hijacking or data theft in the victim's context.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/skt-donation/vulnerability/wordpress-skt-donation-plugin-1-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS in SKT Donation version 1.9 for WordPress, providing vulnerability specifics for security practitioners to assess and mitigate affected installations.

Details

CWE(s): CWE-79

CVEs Like This One

CVE-2026-25352Shared CWE-79

CVE-2025-22356Shared CWE-79

CVE-2026-33136Shared CWE-79

CVE-2026-30918Shared CWE-79

CVE-2026-25461Shared CWE-79

CVE-2024-13574Shared CWE-79

CVE-2025-23464Shared CWE-79

CVE-2025-23491Shared CWE-79

CVE-2025-22682Shared CWE-79

CVE-2026-24838Shared CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/skt-donation/vulnerability/wordpress-skt-donation-plugin-1-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com