CVE-2025-24608
Published: 31 January 2025
Summary
CVE-2025-24608 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-24608 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the GD Mail Queue WordPress plugin developed by Milan Petrovic. The issue affects GD Mail Queue versions from n/a through 4.3 inclusive. Published on 2025-01-31, it carries a CVSS v3.1 base score of 7.1 (High).
The vulnerability can be exploited remotely (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as clicking a malicious link, and results in a changed scope (S:C). Attackers without authentication can deliver payloads via reflected inputs, leading to XSS execution in the victim's browser. This enables low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), such as potential session token theft or malicious script injection targeting site users.
Patchstack has documented the vulnerability in detail, including assessment for WordPress plugin gd-mail-queue version 4.3, at https://patchstack.com/database/Wordpress/Plugin/gd-mail-queue/vulnerability/wordpress-gd-mail-queue-plugin-4-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3812
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Mail Queue gd-mail-queue allows Reflected XSS.This issue affects GD Mail Queue: from n/a through <= 4.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables direct exploitation of web app (T1190) and arbitrary JavaScript execution in browser (T1059.007) for impacts like session theft.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 directly mitigates reflected XSS by requiring filtering of information outputs to prevent execution of injected malicious scripts during web page generation.
SI-10 enforces validation of user inputs, blocking malicious payloads like XSS scripts before they can be improperly neutralized and reflected in web pages.
SI-2 ensures timely flaw remediation, including patching the specific XSS vulnerability in GD Mail Queue versions through 4.3.