CVE-2025-24722 identifies a stored Cross-site Scripting (XSS) vulnerability in the Ays Pro FAQ Builder AYS plugin, specifically versions up to 1.7.3. Stored XSS occurs when malicious input is improperly sanitized and then permanently stored by the application, later served to users without adequate neutralization. In this case, the plugin fails to properly sanitize user-supplied input during web page generation, allowing attackers to inject arbitrary JavaScript code into FAQ pages. When other users visit these pages, the malicious scripts execute in their browsers within the context of the vulnerable site. This can lead to session hijacking, credential theft, unauthorized actions on behalf of users, or redirection to malicious sites. The vulnerability does not require authentication, meaning any remote attacker can exploit it by submitting crafted input. No user interaction beyond visiting the affected page is necessary for exploitation. Although no public exploits have been reported yet, the nature of stored XSS makes it a critical risk for websites using this plugin. The lack of a CVSS score suggests the vulnerability is newly published and pending detailed assessment. The vulnerability affects all versions up to 1.7.3, and no official patches or mitigation links are currently provided, indicating users must rely on interim defensive measures until an update is released.

The impact of this stored XSS vulnerability is significant for organizations using the Ays Pro FAQ Builder AYS plugin on their websites. Attackers can inject malicious scripts that execute in the browsers of site visitors, potentially leading to theft of session cookies, user credentials, or other sensitive information. This can result in account compromise, unauthorized access, and data breaches. Additionally, attackers may perform actions on behalf of users, deface websites, or redirect users to phishing or malware sites, damaging organizational reputation and user trust. The vulnerability affects website availability indirectly by enabling attacks that could lead to site blacklisting or downtime during incident response. Since the vulnerability requires no authentication and no user interaction beyond page visit, it is relatively easy to exploit remotely at scale. Organizations with high web traffic or sensitive user data are at elevated risk. The absence of known exploits in the wild currently reduces immediate threat but does not diminish the potential for rapid weaponization once public proof-of-concept code emerges.

Organizations should prioritize the following mitigation steps: 1) Monitor for and apply official patches or updates from Ays Pro as soon as they are released to remediate the vulnerability directly. 2) Implement strict input validation and output encoding on all user-supplied data, especially in FAQ content fields, to prevent injection of malicious scripts. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. 4) Conduct regular security audits and penetration testing focused on web application input handling. 5) Use Web Application Firewalls (WAFs) with rules designed to detect and block XSS attack patterns targeting the FAQ Builder plugin. 6) Educate content editors and administrators about safe content practices and the risks of embedding untrusted input. 7) Monitor web server and application logs for unusual input patterns or suspicious activity indicative of exploitation attempts. These measures collectively reduce the risk until a vendor patch is available.