Skip to main content

CVE-2025-24774: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce

High
VulnerabilityCVE-2025-24774cvecve-2025-24774cwe-79
Published: Fri Jun 27 2025 (06/27/2025, 11:52:47 UTC)
Source: CVE Database V5
Vendor/Project: mojoomla
Product: WPCRM - CRM for Contact form CF7 & WooCommerce

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows Reflected XSS. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0.

AI-Powered Analysis

AILast updated: 06/27/2025, 12:59:28 UTC

Technical Analysis

CVE-2025-24774 is a high-severity reflected Cross-site Scripting (XSS) vulnerability identified in the mojoomla WPCRM plugin, which integrates CRM functionalities for Contact Form 7 (CF7) and WooCommerce on WordPress sites. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode user-supplied input before reflecting it back in HTTP responses, allowing attackers to inject malicious scripts. This reflected XSS can be triggered remotely without authentication (AV:N/PR:N), requiring only user interaction (UI:R), and affects confidentiality, integrity, and availability (C:L/I:L/A:L) of the affected systems. The vulnerability impacts all versions up to 3.2.0, with no patch currently available. The scope is considered changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, potentially compromising the entire web application or user sessions. Although no known exploits are reported in the wild yet, the ease of exploitation and the common usage of WordPress with CF7 and WooCommerce make this a significant threat. Attackers could leverage this vulnerability to execute arbitrary JavaScript in the context of users’ browsers, leading to session hijacking, credential theft, defacement, or redirection to malicious sites.

Potential Impact

For European organizations using WordPress sites with the WPCRM plugin for CF7 and WooCommerce, this vulnerability poses a substantial risk. Many European businesses rely on WooCommerce for e-commerce operations and CF7 for customer interactions, making this plugin widely deployed. Successful exploitation could lead to data breaches involving customer information, financial data, and internal communications. The reflected XSS could be used to bypass same-origin policies, enabling attackers to steal session cookies or perform actions on behalf of authenticated users, undermining trust and potentially violating GDPR requirements for data protection. The resulting reputational damage, regulatory fines, and operational disruptions could be severe. Additionally, the vulnerability could be exploited as a foothold for further attacks within corporate networks, especially if administrative users are targeted. Given the cross-border nature of many European businesses, the impact could cascade across multiple jurisdictions.

Mitigation Recommendations

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, apply Web Application Firewall (WAF) rules specifically targeting reflected XSS payloads related to the WPCRM plugin’s parameters. Second, enforce strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Third, conduct thorough input validation and output encoding on all user-supplied data within the application if custom modifications are possible. Fourth, monitor web server logs and user reports for suspicious activity indicative of XSS exploitation attempts. Fifth, consider temporarily disabling or replacing the WPCRM plugin with alternative CRM solutions that do not exhibit this vulnerability until a patch is released. Finally, ensure all WordPress core and other plugins are updated to minimize the attack surface and maintain robust backup and incident response plans tailored to web application compromises.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-01-23T14:53:25.027Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685e88edca1063fb875de478

Added to database: 6/27/2025, 12:05:01 PM

Last enriched: 6/27/2025, 12:59:28 PM

Last updated: 8/1/2025, 4:19:59 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats