CVE-2025-24655 identifies a reflected Cross-site Scripting (XSS) vulnerability in the PickPlugins Wishlist plugin for WordPress, affecting versions up to and including 1.0.39. The vulnerability stems from improper neutralization of input during web page generation, which allows attackers to inject malicious JavaScript code into web pages viewed by other users. This reflected XSS occurs when user-supplied input is embedded in the page output without adequate sanitization or encoding, enabling attackers to craft URLs or form submissions that execute arbitrary scripts in the victim's browser. Such scripts can steal session cookies, perform actions on behalf of the user, or redirect users to phishing or malware sites. The vulnerability does not require authentication, increasing its risk profile, but exploitation requires user interaction, such as clicking a malicious link. No CVSS score has been assigned yet, and no public exploits are known at this time. The affected product, PickPlugins Wishlist, is a popular WordPress plugin used by e-commerce websites to provide wishlist functionality, making it a common target due to the large user base and the sensitive nature of e-commerce user data. The lack of patches or official fixes at the time of publication means users must rely on interim mitigations. The vulnerability highlights the importance of proper input validation and output encoding in web applications to prevent injection attacks.

The primary impact of this vulnerability is on the confidentiality and integrity of user data. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information such as login credentials or personal data, and unauthorized actions performed on behalf of the user. This can result in account compromise, financial fraud, or reputational damage to the affected organization. Additionally, attackers could use the vulnerability to deliver malware or redirect users to malicious websites, further amplifying the risk. For organizations running e-commerce sites, this undermines customer trust and may lead to regulatory compliance issues related to data protection. Although the vulnerability does not directly affect server availability, the indirect consequences of exploitation can disrupt business operations and incur remediation costs.

Organizations should prioritize updating the PickPlugins Wishlist plugin to a patched version once it becomes available. Until an official patch is released, administrators can implement several mitigations: 1) Employ Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting the wishlist plugin endpoints. 2) Implement strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources of executable scripts. 3) Review and harden input validation and output encoding mechanisms in custom code or theme templates interacting with the wishlist plugin to ensure all user input is properly sanitized. 4) Educate users and staff to be cautious about clicking suspicious links, especially those purporting to come from the affected site. 5) Monitor web server and application logs for unusual request patterns indicative of attempted XSS exploitation. 6) Consider temporarily disabling the wishlist functionality if it is not critical to business operations until a patch is applied. These targeted actions go beyond generic advice and address the specific nature of the reflected XSS vulnerability in this plugin.