VYPR
← All advisories
Medium severity5.2NVD Advisory· Published Dec 3, 2024· Updated Apr 15, 2026

CVE-2024-11325

CVE-2024-11325

Description

The AWeber Forms by Optin Cat plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.5.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in AWeber Forms by Optin Cat plugin up to version 2.5.7 allows unauthenticated attackers to inject arbitrary web scripts via unescaped add_query_arg.

Vulnerability

The AWeber Forms by Optin Cat plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to and including 2.5.7. The vulnerability stems from the use of add_query_arg without proper escaping on the URL in the eoi-subscribers.php file [1][2]. An attacker can inject arbitrary web scripts via crafted parameters.

Exploitation

An unauthenticated attacker can craft a malicious link that includes a script payload in the URL parameters. The victim must be tricked into clicking the link, which then executes the injected script in the context of the victim's browser session. No prior authentication or special configuration is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or other actions performed within the context of the affected WordPress site.

Mitigation

The plugin developer has released a fix in version 2.5.8, as indicated by the changeset [1]. Users are strongly advised to update to the latest available version immediately. No workaround has been provided for older versions.

References
  1. https://plugins.trac.wordpress.org/changeset/3198559/aweber-wp/trunk/includes/eoi-subscribers.php
  2. https://plugins.trac.wordpress.org/browser/aweber-wp/trunk/includes/eoi-subscribers.php#L353

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
r3198559
https://plugins.svn.wordpress.org/aweber-wpvia nvd-ref
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.