CVE-2025-24536
Published: 03 February 2025
Summary
CVE-2025-24536 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-24536 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the ThriveDesk WordPress plugin in all versions from n/a through 2.0.6.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no privileges required, but user interaction is necessary. Remote attackers can craft malicious payloads delivered via reflected inputs, tricking users into interacting (e.g., via phishing links), to execute scripts in the victim's browser context with changed scope, achieving low impacts on confidentiality, integrity, and availability.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/thrivedesk/vulnerability/wordpress-thrivedesk-plugin-2-0-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS issue in ThriveDesk plugin version 2.0.6 for WordPress, providing details for security practitioners to assess and address exposure in affected installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3748
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThriveDesk ThriveDesk thrivedesk allows Reflected XSS.This issue affects ThriveDesk: from n/a through <= 2.0.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in the public-facing WordPress plugin enables exploitation of public-facing applications via crafted malicious links that trigger script execution in the victim's browser context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper neutralization of input during web page generation by filtering outputs to prevent reflected XSS script execution.
Validates and sanitizes user inputs to block malicious XSS payloads before they are reflected in web responses.
Ensures timely remediation of the specific flaw in ThriveDesk plugin versions through <=2.0.6 by applying vendor patches.