Cyber Resilience

CVE-2025-24576

High

Published: 03 February 2025

Published
03 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 13.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24576 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-24576 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Landing Page Cat WordPress plugin by fatcatapps. The issue affects all versions of the plugin from n/a through 1.7.7 and was published on 2025-02-03.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low complexity, no privileges required, but user interaction needed, and changed scope. Remote unauthenticated attackers can exploit it by injecting malicious payloads into reflected inputs on affected web pages, such as via crafted URLs, tricking victims into interacting (e.g., visiting a malicious link). This enables script execution in the victim's browser, with low impacts on confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/landing-page-cat/vulnerability/wordpress-landing-page-cat-plugin-1-7-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Landing Page Cat landing-page-cat allows Reflected XSS.This issue affects Landing Page Cat: from n/a through <= 1.7.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The reflected XSS vulnerability directly enables injection and execution of malicious scripts in the victim's browser via crafted URLs, mapping to exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23792Shared CWE-79
CVE-2026-32751Shared CWE-79
CVE-2026-4369Shared CWE-79
CVE-2026-33066Shared CWE-79
CVE-2026-4345Shared CWE-79
CVE-2025-23207Shared CWE-79
CVE-2025-23741Shared CWE-79
CVE-2025-23881Shared CWE-79
CVE-2025-24028Shared CWE-79
CVE-2026-34558Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs, directly preventing reflected XSS by neutralizing malicious payloads in user-supplied data like crafted URLs.

prevent

SI-15 mandates filtering of information outputs, comprehensively addressing XSS by encoding or sanitizing reflected content before rendering in the browser.

prevent

SI-2 ensures timely flaw remediation through patching the vulnerable WordPress plugin versions up to 1.7.7, eliminating the root cause of the improper input neutralization.

References