CVE-2025-24626

The Music Store plugin for WordPress, versions up to and including 1.1.19, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This flaw occurs when user-supplied data is reflected back in the response without adequate sanitization, enabling script injection.

An attacker can exploit this by crafting a malicious link containing the XSS payload and tricking a privileged user, such as an administrator, into clicking it. While the attacker does not need authentication, successful exploitation requires the victim to perform an action like clicking the link or visiting a crafted page [1]. This makes the vulnerability suitable for mass-exploit campaigns targeting numerous WordPress sites.

If exploited, the attacker can inject arbitrary HTML and JavaScript into the victim's browser session. This can lead to redirects, advertisement injection, session cookie theft, or other malicious actions within the context of the affected website [1].

The vulnerability is patched in version 1.2.0 of the plugin. Users are strongly advised to update immediately. Patchstack also provides a mitigation rule to block attacks until the update is applied [1].