CVE-2026-24975
Reflected XSS in NooTheme Organici Library
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nootheme | organici_library | to 2.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-24975 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a Reflected Cross-site Scripting (XSS) issue in the NooTheme Organici Library (noo-organici-library). It occurs due to improper neutralization of input during web page generation, which means that user-supplied input is not properly sanitized or escaped before being included in web pages. As a result, an attacker can inject malicious scripts that are reflected back to users, potentially executing in their browsers.
How can this vulnerability impact me? :
This Reflected XSS vulnerability can allow attackers to execute malicious scripts in the context of a victim's browser. This can lead to theft of sensitive information such as cookies or session tokens, defacement of websites, redirection to malicious sites, or other malicious actions performed on behalf of the user.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a reflected Cross Site Scripting (XSS) issue in the WordPress Organici Library Plugin versions up to 2.1.2. Detection typically involves identifying attempts to inject malicious scripts via URLs, forms, or other input fields that reflect user input without proper sanitization.
While specific commands are not provided in the resources, common detection methods include monitoring web server logs for suspicious query strings or payloads containing script tags or JavaScript code.
- Use tools like curl or wget to test input fields or URLs for reflected script injection, e.g., sending payloads like <script>alert(1)</script> and observing if they are reflected in the response.
- Employ web vulnerability scanners that support XSS detection against the affected plugin endpoints.
- Check for plugin version by running commands to list installed WordPress plugins and their versions, for example: wp plugin list | grep organici-library
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the WordPress Organici Library Plugin to version 2.1.3 or later, where this vulnerability has been patched.
If immediate updating is not possible, apply the automatic mitigation rule provided by Patchstack to block attacks targeting this vulnerability.
Users unable to update or apply mitigations should seek assistance from their hosting provider or web developer to implement temporary protections.