CVE-2025-24708
Published: 27 January 2025
Summary
CVE-2025-24708 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Information Output Filtering directly prevents reflected XSS by neutralizing malicious input reflected in web page generation.
Information Input Validation checks and sanitizes form inputs to block XSS payloads before they are processed by the plugin.
Flaw Remediation requires timely patching of the vulnerable plugin versions to eliminate the improper neutralization issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS via crafted malicious URL/link enables user interaction to trigger JS execution (T1204.001) and directly facilitates theft of web session cookies/session data (T1539).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-dynamics-crm allows Reflected XSS.This issue affects WP Dynamics CRM for Contact Form 7,…
more
WPForms, Elementor, Formidable and Ninja Forms: from n/a through <= 1.1.6.
Deeper analysisAI
CVE-2025-24708 is an Improper Neutralization of Input During Web Page Generation vulnerability, specifically a Reflected Cross-Site Scripting (XSS) issue classified under CWE-79. It affects the CRM Perks WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin (cf7-dynamics-crm), impacting all versions from n/a through 1.1.6. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts to confidentiality, integrity, and availability.
A remote attacker without privileges can exploit this reflected XSS by crafting malicious input, such as a specially prepared URL or form submission, that gets reflected back in the generated web page without sanitization. The attack requires a victim to interact with the malicious payload, typically by clicking a link or submitting a form on an affected WordPress site using the plugin. Successful exploitation executes arbitrary JavaScript in the victim's browser context, enabling potential theft of session data, cookie manipulation, or other client-side actions within the low-impact scope defined by the CVSS metrics.
The Patchstack advisory provides details on this vulnerability, including verification and exploitation information, accessible at https://patchstack.com/database/Wordpress/Plugin/cf7-dynamics-crm/vulnerability/wordpress-wp-dynamics-crm-plugin-1-1-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)