CVE-2025-24599
Published: 04 February 2025
Summary
CVE-2025-24599 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-24599 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Tribulant Software Newsletters newsletters-lite WordPress plugin. This issue affects all versions of the plugin from n/a through 4.9.9.6, as published on 2025-02-04.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no required privileges, but necessitating user interaction such as clicking a malicious link. Remote attackers can deliver payloads reflected in web pages, potentially leading to limited impacts on confidentiality, integrity, and availability within a changed scope, such as session hijacking or data theft for interacting users.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-9-9-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3803
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Reflected XSS.This issue affects Newsletters: from n/a through <= 4.9.9.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables client-side JS execution in browser via crafted malicious link requiring user click, directly matching exploitation for client execution and user execution via malicious link.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs to prevent improper neutralization leading to reflected XSS payloads.
Mandates filtering of information outputs to neutralize malicious scripts reflected in web pages during generation.
Ensures timely remediation of flaws like this reflected XSS vulnerability through identification, reporting, and patching.