CVE-2025-24620
Published: 03 February 2025
Summary
CVE-2025-24620 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-24620 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, affecting the AIO Shortcodes WordPress plugin developed by hkharpreetkumar1 under the identifier aio-shortcodes. The issue impacts all versions from n/a through 1.3 inclusive, allowing malicious input to be stored and rendered without proper neutralization during web page generation.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no privileges required, but needing user interaction, and resulting in changed scope with low impacts to confidentiality, integrity, and availability. Any unauthenticated attacker can submit crafted input through plugin functionality, storing malicious scripts that execute in the browser context of authenticated users or administrators viewing affected pages, potentially leading to session hijacking, phishing, or further site compromise.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/aio-shortcodes/vulnerability/wordpress-aio-shortcodes-plugin-1-3-stored-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Stored XSS vulnerability specifically in AIO Shortcodes version 1.3 and provides details relevant to mitigation for WordPress site operators.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3823
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hkharpreetkumar1 AIO Shortcodes aio-shortcodes allows Stored XSS.This issue affects AIO Shortcodes: from n/a through <= 1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting web app for initial access) and facilitates T1185 (browser session hijacking via injected scripts).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates stored XSS by filtering information outputs during web page generation to neutralize malicious scripts before execution in users' browsers.
Prevents acceptance and storage of malicious inputs by validating all plugin inputs against defined validity requirements, addressing improper neutralization at the input stage.
Remediates the specific flaw in the AIO Shortcodes plugin through timely identification, reporting, and patching of the vulnerability across all affected versions up to 1.3.