CVE-2025-24560
Published: 31 January 2025
Summary
CVE-2025-24560 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-24560 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Awesome Event Booking WordPress plugin by AwesomeTOGI (awesome-event-booking). The issue impacts all versions from n/a through 2.7.1, as published on 2025-01-31.
The vulnerability carries a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible remotely over the network by an unauthenticated attacker with low complexity, though it requires user interaction. An attacker can craft a malicious input that reflects unsanitized on a web page, executing scripts in the victim's browser context and potentially achieving low impacts on confidentiality, integrity, and availability with a changed scope.
Patchstack provides details on the vulnerability via its advisory at https://patchstack.com/database/Wordpress/Plugin/awesome-event-booking/vulnerability/wordpress-awesome-event-booking-plugin-2-7-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, covering the Reflected XSS in Awesome Event Booking plugin version 2.7.1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3768
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AwesomeTOGI Awesome Event Booking awesome-event-booking allows Reflected XSS.This issue affects Awesome Event Booking: from n/a through <= 2.7.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS allows injection and execution of arbitrary JavaScript in the victim's browser (T1059.007) when the user interacts with a crafted malicious link (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of user inputs to neutralize malicious scripts before processing, preventing reflected XSS exploitation in the WordPress plugin.
Requires filtering and encoding of outputs prior to rendering, blocking reflected malicious scripts from executing in victims' browsers.
Ensures timely identification, reporting, and patching of flaws like this reflected XSS vulnerability in the Awesome Event Booking plugin.