CVE-2026-24975
Published: 25 March 2026
Summary
CVE-2026-24975 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-24975 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the NooTheme Organici Library WordPress plugin (noo-organici-library). This issue affects all versions of the plugin from n/a through 2.1.2 inclusive. The vulnerability has a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.
Remote attackers can exploit this Reflected XSS by sending malicious input that is reflected without proper neutralization in dynamically generated web pages. Exploitation requires tricking an authenticated or unauthenticated user into interacting with a crafted link or input, such as via phishing. Upon success, attackers can execute arbitrary JavaScript in the victim's browser context, potentially stealing session tokens, cookies, or other sensitive data, or performing actions on behalf of the user.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/noo-organici-library/vulnerability/wordpress-organici-library-plugin-2-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS vulnerability in Organici Library plugin version 2.1.2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15590
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Organici Library noo-organici-library allows Reflected XSS.This issue affects Organici Library: from n/a through <= 2.1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web application over the network (T1190) and arbitrary JavaScript execution in the victim browser (T1059.007) via crafted links.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 directly and comprehensively mitigates reflected XSS by requiring filtering of information prior to output to web pages, preventing injection of malicious JavaScript.
SI-10 enforces validation of information inputs, directly addressing the improper neutralization of malicious input reflected in dynamically generated web pages.
SI-2 requires timely flaw remediation, such as patching the Organici Library plugin versions through 2.1.2 to eliminate the specific XSS vulnerability.