CVE-2025-24677
Published: 04 February 2025
Summary
CVE-2025-24677 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents code injection by enforcing validation of user inputs in the plugin's import functionality, blocking remote code inclusion.
SI-2 mandates timely remediation of the specific code injection flaw through patching the affected WordPress plugin versions up to 2.0.3.
SI-3 mitigates execution of arbitrary remote code resulting from successful injection via malicious code scanning and protection mechanisms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection vulnerability in public-facing WordPress plugin enables remote authenticated exploitation for RCE on the server, directly mapping to T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) for arbitrary command execution.
NVD Description
Improper Control of Generation of Code ('Code Injection') vulnerability in wpspin Post/Page Copying Tool postpage-import-export-with-custom-fields-taxonomies allows Remote Code Inclusion.This issue affects Post/Page Copying Tool: from n/a through <= 2.0.3.
Deeper analysisAI
CVE-2025-24677 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the WordPress plugin "wpspin Post/Page Copying Tool postpage-import-export-with-custom-fields-taxonomies." This flaw enables Remote Code Inclusion and affects all versions of the plugin up to and including 2.0.3. The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high impact across confidentiality, integrity, and availability.
Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network without user interaction. Successful exploitation allows attackers to include and execute arbitrary remote code on the WordPress server, achieving full remote code execution (RCE) with changed scope to the server context, potentially leading to complete server compromise.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/postpage-import-export-with-custom-fields-taxonomies/vulnerability/wordpress-post-page-copying-tool-to-export-and-import-post-page-for-cross-site-migration-plugin-2-0-3-remote-code-execution-rce-vulnerability?_s_id=cve provides details on the vulnerability and recommended mitigations.
Details
- CWE(s)