CVE-2025-24774
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-24774 is a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "WPCRM - CRM for Contact form CF7 & WooCommerce" versions up to 3.2.0. It allows unauthenticated attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when site visitors access the affected website. This vulnerability is classified under OWASP Top 10 A3: Injection and has a medium severity CVSS score of 7.1. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts on your website visitors' browsers without authentication. This can lead to unauthorized redirects, display of unwanted advertisements, theft of user data, session hijacking, or other malicious activities. Automated attacks may target all vulnerable sites indiscriminately, increasing the risk of exploitation. If your site is compromised, professional incident response and server-side malware scanning are recommended. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific commands or detailed methods for detecting this vulnerability on your network or system. However, detection generally involves monitoring for unusual script injections or reflected XSS attack patterns in web traffic or logs. For precise detection, professional incident response and server-side malware scanning are recommended, as plugin-based scanners may be compromised. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the virtual patch (vPatch) released by Patchstack, which blocks attack attempts until an official update is available. Additionally, it is important to conduct professional incident response and server-side malware scanning if the site is suspected to be compromised. Since no official fix is currently available, virtual patching provides rapid protection with minimal performance impact. [1]