Cyber Resilience

CVE-2025-24758

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0023 46.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24758 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24758 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the CM Map Locations WordPress plugin (cm-map-locations) developed by CreativeMindsSolutions. This issue affects all versions of the plugin from n/a through 2.0.8 inclusive. The vulnerability was published on 2025-03-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

The vulnerability can be exploited by remote attackers with no privileges required, low attack complexity, and network access, though it necessitates user interaction, such as visiting a maliciously crafted webpage or clicking a link. Exploitation enables script injection in the victim's browser context within the affected site, potentially allowing theft of session cookies, deflection to malicious sites, or minor disruptions, with impacts rated low on confidentiality, integrity, and availability but elevated due to scope change.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cm-map-locations/vulnerability/wordpress-cm-map-locations-plugin-2-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which covers the Reflected XSS in the WordPress CM Map Locations plugin up to version 2.0.8.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Map Locations cm-map-locations allows Reflected XSS.This issue affects CM Map Locations: from n/a through <= 2.0.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Reflected XSS in public-facing WordPress plugin enables exploitation via crafted malicious links (T1204.001) for client-side script execution, directly facilitating session cookie theft (T1539) and fitting public-facing application exploitation (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32529Shared CWE-79
CVE-2025-23626Shared CWE-79
CVE-2026-42366Shared CWE-79
CVE-2025-28877Shared CWE-79
CVE-2025-22765Shared CWE-79
CVE-2024-13885Shared CWE-79
CVE-2025-23645Shared CWE-79
CVE-2024-13094Shared CWE-79
CVE-2025-27269Shared CWE-79
CVE-2025-24017Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses improper neutralization of input during web page generation by requiring filtering or encoding of outputs to prevent reflected XSS script injection.

prevent

Validates and sanitizes untrusted inputs before processing or reflection, mitigating malicious payloads in reflected XSS attacks.

prevent

Ensures timely patching or updating of the vulnerable CM Map Locations WordPress plugin (versions <=2.0.8) to remediate the specific XSS flaw.

References