CVE-2025-24694

Vulnerability

Description

CVE-2025-24694 is a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin CM Pop-Up Banners, versions through 1.7.6. The issue arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript into the response [1].

Exploitation

Prerequisites

An attacker can trigger the vulnerability by crafting a malicious link that, when clicked by a privileged user (e.g., an administrator), executes the injected script in the context of the victim's session. User interaction is required—the victim must click the link, visit a crafted page, or submit a form [1]. This type of reflected XSS does not require authentication on the attacker's part but depends on the target user's privileges.

Impact

Successful exploitation could allow an attacker to inject scripts that redirect visitors, display advertisements, or perform other arbitrary actions on the affected WordPress site. Because the script executes in the context of the victim user's session, an attacker could potentially perform actions that the victim is authorized to do, such as creating new admin users or modifying site content [1]. The vulnerability is rated as High severity with a CVSS v3 score of 7.1, reflecting its potential for harm in mass-exploit campaigns.

Mitigation

The vulnerability is patched in version 1.7.7. Users are strongly advised to update the plugin immediately. If updating is not possible, a security rule from Patchstack can block attacks until the update is applied [1]. The vulnerability is listed with a moderate dangerousness risk and is expected to be exploited.