CVE-2025-24758
Published: 03 March 2025
Summary
CVE-2025-24758 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-24758 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the CM Map Locations WordPress plugin (cm-map-locations) developed by CreativeMindsSolutions. This issue affects all versions of the plugin from n/a through 2.0.8 inclusive. The vulnerability was published on 2025-03-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited by remote attackers with no privileges required, low attack complexity, and network access, though it necessitates user interaction, such as visiting a maliciously crafted webpage or clicking a link. Exploitation enables script injection in the victim's browser context within the affected site, potentially allowing theft of session cookies, deflection to malicious sites, or minor disruptions, with impacts rated low on confidentiality, integrity, and availability but elevated due to scope change.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cm-map-locations/vulnerability/wordpress-cm-map-locations-plugin-2-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which covers the Reflected XSS in the WordPress CM Map Locations plugin up to version 2.0.8.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5660
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Map Locations cm-map-locations allows Reflected XSS.This issue affects CM Map Locations: from n/a through <= 2.0.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation via crafted malicious links (T1204.001) for client-side script execution, directly facilitating session cookie theft (T1539) and fitting public-facing application exploitation (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper neutralization of input during web page generation by requiring filtering or encoding of outputs to prevent reflected XSS script injection.
Validates and sanitizes untrusted inputs before processing or reflection, mitigating malicious payloads in reflected XSS attacks.
Ensures timely patching or updating of the vulnerable CM Map Locations WordPress plugin (versions <=2.0.8) to remediate the specific XSS flaw.