CVE-2025-24558
Published: 14 February 2025
Summary
CVE-2025-24558 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and correction of flaws like this reflected XSS vulnerability in the CRM Perks WordPress plugin through timely patching.
Mandates filtering and encoding of information output during web page generation to neutralize malicious input reflected in this XSS attack.
Enforces input validation at entry points to reject or sanitize unsanitized user input exploited in this reflected XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary client-side script execution, directly facilitating browser session hijacking via cookie theft or similar (T1185) and minor site defacement by modifying page content (T1491.002).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks support-x allows Reflected XSS.This issue affects CRM Perks: from n/a through <= 1.1.5.
Deeper analysisAI
CVE-2025-24558 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the CRM Perks support-x WordPress plugin. This issue affects all versions of the plugin from n/a through 1.1.5 inclusive. The vulnerability was published on 2025-02-14 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated attacker (PR:N) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) by tricking a user into performing an action such as clicking a malicious link or submitting crafted input on a vulnerable site (UI:R). Exploitation reflects unsanitized input into web pages, enabling arbitrary script execution in the victim's browser context within the site's scope (S:C). This can result in low impacts to confidentiality, integrity, and availability, such as session hijacking, data theft, or minor site defacement.
The Patchstack advisory provides details on this Reflected XSS vulnerability in the CRM Perks WordPress plugin up to version 1.1.5, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/support-x/vulnerability/wordpress-crm-perks-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)