CVE-2025-54024

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts wpadverts allows DOM-Based XSS.This issue affects WPAdverts: from n/a through <= 2.2.5.

AnalysisAI

DOM-based cross-site scripting (XSS) in WPAdverts WordPress plugin versions 2.2.5 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability enables arbitrary JavaScript execution in the context of affected websites, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation has been confirmed, and EPSS probability remains low at 0.04%.

Technical ContextAI

WPAdverts is a WordPress plugin for managing classified advertisements. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which encompasses cross-site scripting flaws. DOM-based XSS occurs when user-controlled input is processed by client-side JavaScript and inserted into the DOM without proper sanitization or encoding, allowing an attacker to control script execution in a victim's browser. This differs from stored or reflected XSS in that the payload manipulation occurs entirely on the client side, often through URL parameters or local storage manipulation that the vulnerable JavaScript then processes unsafely.

Affected ProductsAI

WPAdverts WordPress plugin versions 2.2.5 and earlier are affected. The plugin is maintained by Greg Winiarski and is distributed through the WordPress plugin repository. Organizations running any version up to and including 2.2.5 should evaluate their exposure. Detailed vendor advisory and vulnerability specifics are available via the Patchstack database reference provided.

RemediationAI

Update WPAdverts to a version newer than 2.2.5 immediately; consult the plugin's official repository or Patchstack advisory for the exact patched version number. If an immediate upgrade is not possible, review WordPress security hardening practices including Content Security Policy (CSP) headers, which can mitigate DOM-based XSS impact by restricting inline script execution. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpadverts contains specific remediation guidance and may reference a patched version number.

Share

CVE-2025-54024 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy