CVE-2025-24745 is a reflected Cross-site Scripting (XSS) vulnerability identified in the RadiusTheme Classified Listing plugin, a popular WordPress plugin used for creating classified listing websites. The vulnerability stems from improper neutralization of input during web page generation, meaning that user-supplied data is not correctly sanitized or encoded before being included in the HTML output. This allows attackers to craft malicious URLs containing executable JavaScript code that, when visited by a victim, executes in the context of the vulnerable website. The reflected nature of the XSS indicates that the malicious script is not stored on the server but reflected immediately in the HTTP response. This type of vulnerability can be exploited without authentication, increasing its risk profile. The affected versions include all versions up to and including 4.0.1, with no patch currently available as per the provided data. No known exploits have been reported in the wild yet, but the vulnerability was reserved and published in early 2025. The absence of a CVSS score requires an independent severity assessment based on the potential impact and exploitability. The vulnerability primarily threatens the confidentiality and integrity of users interacting with affected websites, enabling attacks such as session hijacking, cookie theft, phishing, and unauthorized actions performed on behalf of the user.

The impact of CVE-2025-24745 on organizations worldwide can be significant, especially for those relying on the RadiusTheme Classified Listing plugin for their web presence. Successful exploitation can lead to the execution of arbitrary JavaScript in users' browsers, resulting in session hijacking, theft of sensitive information such as authentication tokens or personal data, and redirection to malicious websites. This can cause reputational damage, loss of customer trust, and potential regulatory consequences if user data is compromised. Additionally, attackers may leverage the vulnerability to conduct further attacks within the victim's network or escalate privileges. Since the vulnerability does not require authentication and can be triggered via crafted URLs, it poses a broad attack surface. Organizations with high web traffic or those in sectors handling sensitive user data (e.g., e-commerce, classifieds, real estate) are at elevated risk. The lack of a patch at the time of disclosure increases the urgency for proactive mitigation to prevent exploitation.

To mitigate CVE-2025-24745 effectively, organizations should: 1) Monitor RadiusTheme and related security advisories closely and apply official patches or updates immediately once released. 2) Implement strict input validation and output encoding on all user-supplied data to prevent malicious script injection, following secure coding best practices such as using context-aware escaping functions. 3) Deploy Web Application Firewalls (WAFs) configured to detect and block common XSS attack patterns, including suspicious query parameters and script tags. 4) Educate users and administrators about the risks of clicking on untrusted links and encourage cautious browsing behavior. 5) Conduct regular security assessments and penetration testing focused on web application vulnerabilities to identify and remediate similar issues proactively. 6) Consider temporarily disabling or restricting access to the Classified Listing plugin if immediate patching is not feasible, especially on high-value or sensitive websites. 7) Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, thereby reducing the impact of potential XSS attacks.