Cyber Resilience

CVE-2025-24632

High

Published: 31 January 2025

Published
31 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0015 35.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24632 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Content Injection (T1659); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-24632 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Advanced Dynamic Pricing for WooCommerce WordPress plugin by algol.plus, with the issue present in all versions up to and including 4.9.0. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

Attackers can exploit this vulnerability remotely over the network with low complexity and no authentication privileges required, though it demands user interaction such as visiting a maliciously crafted link or page. Exploitation allows injection of malicious scripts into reflected content on the site, potentially enabling theft of user session cookies, keystroke logging, or other client-side attacks within the victim's browser context, with low but cross-scope impacts to confidentiality, integrity, and availability.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/advanced-dynamic-pricing-for-woocommerce/vulnerability/wordpress-advanced-dynamic-pricing-for-woocommerce-plugin-4-9-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS issue in Advanced Dynamic Pricing for WooCommerce version 4.9.0 and provides vulnerability details for WordPress site administrators.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in algol.plus Advanced Dynamic Pricing for WooCommerce advanced-dynamic-pricing-for-woocommerce allows Reflected XSS.This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through <= 4.9.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1659 Content Injection Initial Access
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1056.001 Keylogging Collection
Adversaries may log user keystrokes to intercept credentials as the user types them.
Why these techniques?

Reflected XSS directly enables content injection (T1659) via malicious script execution in browser; facilitates session hijacking (T1185) by stealing web session cookies (T1539) and keylogging (T1056.001) as described in the CVE impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-57514Shared CWE-79
CVE-2025-26541Shared CWE-79
CVE-2025-26587Shared CWE-79
CVE-2025-23786Shared CWE-79
CVE-2026-2834Shared CWE-79
CVE-2026-32277Shared CWE-79
CVE-2026-35035Shared CWE-79
CVE-2026-2568Shared CWE-79
CVE-2026-46367Shared CWE-79
CVE-2025-25102Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 directly prevents reflected XSS by requiring filtering of malicious scripts from user input reflected in web page generation.

prevent

SI-10 enforces validation of untrusted inputs to block malicious payloads that could lead to XSS injection in the WooCommerce plugin.

prevent

SI-2 requires timely flaw remediation, such as patching the Advanced Dynamic Pricing for WooCommerce plugin beyond version 4.9.0 to eliminate the XSS vulnerability.

References