CVE-2025-24541
Published: 03 February 2025
Summary
CVE-2025-24541 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates reflected XSS by filtering information outputs to neutralize malicious scripts during web page generation in the DK White Label plugin.
Enforces validation of user inputs to prevent malicious payloads from being accepted and reflected unsanitized in web pages.
Requires timely flaw remediation, including patching the specific XSS vulnerability in all affected versions of the DK White Label WordPress plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser (T1059.007) and directly facilitates theft of session data (T1185).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dinamiko DK White Label dk-white-label allows Reflected XSS.This issue affects DK White Label: from n/a through <= 1.0.
Deeper analysisAI
CVE-2025-24541 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the dinamiko DK White Label WordPress plugin (dk-white-label). This issue impacts all versions from n/a through 1.0 inclusive, as published on 2025-02-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (High) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. Remote attackers require no privileges or authentication but need to trick a user—typically an authenticated WordPress user such as an administrator—into interacting with a maliciously crafted link or input reflected on a vulnerable page. Successful exploitation enables arbitrary script execution in the victim's browser context, potentially allowing theft of session data, defacement, or other low-impact actions on confidentiality, integrity, and availability, with scope changed to a child component.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/dk-white-label/vulnerability/wordpress-dk-white-label-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS in DK White Label plugin version 1.0 and serves as the primary reference for mitigation guidance. Practitioners should review it for recommended patches or workarounds, such as plugin updates if available.
Details
- CWE(s)