CVE-2025-24564
Published: 14 February 2025
Summary
CVE-2025-24564 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-24564 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Contact Form With Shortcode WordPress plugin developed by aviplugins.com, impacting all versions from unknown initial release through 4.2.5.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, but user interaction needed, with changed scope and low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted links or inputs reflected in the contact form, allowing script injection into the victim's browser session.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/contact-form-with-shortcode/vulnerability/wordpress-contact-form-with-shortcode-plugin-4-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this Reflected XSS issue in the plugin up to version 4.2.5, providing details for security practitioners on the affected component.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3772
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com Contact Form With Shortcode contact-form-with-shortcode allows Reflected XSS.This issue affects Contact Form With Shortcode: from n/a through <= 4.2.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) via crafted links or inputs.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of user inputs to the contact form plugin, directly preventing improper neutralization that enables reflected XSS script injection.
SI-15 mandates filtering of information outputs generated by the plugin, blocking reflected malicious scripts from executing in victims' browsers.
SI-2 ensures timely identification, reporting, and patching of the specific flaw in Contact Form With Shortcode versions through 4.2.5.