Cyber Posture

CVE-2025-24576

High

Published: 03 February 2025

Published
03 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 13.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24576 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs, directly preventing reflected XSS by neutralizing malicious payloads in user-supplied data like crafted URLs.

SI-15 Information Output Filtering good match
prevent

SI-15 mandates filtering of information outputs, comprehensively addressing XSS by encoding or sanitizing reflected content before rendering in the browser.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely flaw remediation through patching the vulnerable WordPress plugin versions up to 1.7.7, eliminating the root cause of the improper input neutralization.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

The reflected XSS vulnerability directly enables injection and execution of malicious scripts in the victim's browser via crafted URLs, mapping to exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Landing Page Cat landing-page-cat allows Reflected XSS.This issue affects Landing Page Cat: from n/a through <= 1.7.7.

Deeper analysisAI

CVE-2025-24576 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Landing Page Cat WordPress plugin by fatcatapps. The issue affects all versions of the plugin from n/a through 1.7.7 and was published on 2025-02-03.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low complexity, no privileges required, but user interaction needed, and changed scope. Remote unauthenticated attackers can exploit it by injecting malicious payloads into reflected inputs on affected web pages, such as via crafted URLs, tricking victims into interacting (e.g., visiting a malicious link). This enables script execution in the victim's browser, with low impacts on confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/landing-page-cat/vulnerability/wordpress-landing-page-cat-plugin-1-7-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-79

CVEs Like This One

CVE-2026-32751Shared CWE-79
CVE-2025-23792Shared CWE-79
CVE-2026-4345Shared CWE-79
CVE-2026-4369Shared CWE-79
CVE-2026-33066Shared CWE-79
CVE-2025-22570Shared CWE-79
CVE-2025-24534Shared CWE-79
CVE-2025-68669Shared CWE-79
CVE-2026-4344Shared CWE-79
CVE-2026-40322Shared CWE-79

References