CVE-2025-24289
BaseFortify
Publication date: 2025-06-29
Last updated on: 2025-06-30
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) that leads to Cross-Site Scripting (XSS) in the UCRM Client Signup Plugin version 1.3.4 and earlier. It can allow an attacker to escalate privileges if an Administrator is tricked into visiting a specially crafted malicious webpage. The plugin is disabled by default.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to escalate their privileges by executing malicious scripts in the context of an Administrator's session. This could lead to unauthorized access, data manipulation, or control over the affected system.
What immediate steps should I take to mitigate this vulnerability?
Since the UCRM Client Signup Plugin is disabled by default, ensure that the plugin remains disabled if not needed. If the plugin is in use, upgrade to a version later than v1.3.4 once available or apply any official patches. Additionally, educate administrators to avoid visiting untrusted or suspicious links to prevent exploitation via CSRF leading to XSS.