CVE-2025-24708

The WP Dynamics CRM plugin (versions ≤1.1.6) for WordPress suffers from a reflected cross-site scripting (XSS) vulnerability caused by improper neutralization of user-supplied input during web page generation [1]. This flaw exists in the plugin's handling of requests to the CRM integration forms, where unsanitized parameters are reflected back to the response page without escaping, allowing an attacker to inject arbitrary HTML and JavaScript code.

Exploitation does not require authentication, but successful execution typically relies on user interaction such as clicking a crafted link or visiting a specially prepared URL [1]. The attack surface is broadened by the plugin's support for multiple popular form builders (Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms), making it a viable target for mass-exploit campaigns across many WordPress sites [1].

An attacker leveraging this vulnerability can inject malicious scripts that execute in the context of the victim's browser session. This could lead to actions such as redirecting users to phishing sites, displaying unwanted advertisements, stealing session cookies, or delivering other HTML payloads that compromise site integrity and visitor trust [1].

Patchstack has issued mitigation rules to block exploitation attempts, and the vendor has released version 1.1.7 to fix the vulnerability. Users are strongly advised to update to version 1.1.7 or later immediately [1].