CVE-2025-24774: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows Reflected XSS. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0.
AI Analysis
Technical Summary
CVE-2025-24774 is a high-severity reflected Cross-site Scripting (XSS) vulnerability identified in the mojoomla WPCRM plugin, which integrates CRM functionalities for Contact Form 7 (CF7) and WooCommerce on WordPress sites. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode user-supplied input before reflecting it back in HTTP responses, allowing attackers to inject malicious scripts. This reflected XSS can be triggered remotely without authentication (AV:N/PR:N), requiring only user interaction (UI:R), and affects confidentiality, integrity, and availability (C:L/I:L/A:L) of the affected systems. The vulnerability impacts all versions up to 3.2.0, with no patch currently available. The scope is considered changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, potentially compromising the entire web application or user sessions. Although no known exploits are reported in the wild yet, the ease of exploitation and the common usage of WordPress with CF7 and WooCommerce make this a significant threat. Attackers could leverage this vulnerability to execute arbitrary JavaScript in the context of users’ browsers, leading to session hijacking, credential theft, defacement, or redirection to malicious sites.
Potential Impact
For European organizations using WordPress sites with the WPCRM plugin for CF7 and WooCommerce, this vulnerability poses a substantial risk. Many European businesses rely on WooCommerce for e-commerce operations and CF7 for customer interactions, making this plugin widely deployed. Successful exploitation could lead to data breaches involving customer information, financial data, and internal communications. The reflected XSS could be used to bypass same-origin policies, enabling attackers to steal session cookies or perform actions on behalf of authenticated users, undermining trust and potentially violating GDPR requirements for data protection. The resulting reputational damage, regulatory fines, and operational disruptions could be severe. Additionally, the vulnerability could be exploited as a foothold for further attacks within corporate networks, especially if administrative users are targeted. Given the cross-border nature of many European businesses, the impact could cascade across multiple jurisdictions.
Mitigation Recommendations
Given the absence of an official patch, European organizations should implement immediate compensating controls. First, apply Web Application Firewall (WAF) rules specifically targeting reflected XSS payloads related to the WPCRM plugin’s parameters. Second, enforce strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Third, conduct thorough input validation and output encoding on all user-supplied data within the application if custom modifications are possible. Fourth, monitor web server logs and user reports for suspicious activity indicative of XSS exploitation attempts. Fifth, consider temporarily disabling or replacing the WPCRM plugin with alternative CRM solutions that do not exhibit this vulnerability until a patch is released. Finally, ensure all WordPress core and other plugins are updated to minimize the attack surface and maintain robust backup and incident response plans tailored to web application compromises.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-24774: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows Reflected XSS. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0.
AI-Powered Analysis
Technical Analysis
CVE-2025-24774 is a high-severity reflected Cross-site Scripting (XSS) vulnerability identified in the mojoomla WPCRM plugin, which integrates CRM functionalities for Contact Form 7 (CF7) and WooCommerce on WordPress sites. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode user-supplied input before reflecting it back in HTTP responses, allowing attackers to inject malicious scripts. This reflected XSS can be triggered remotely without authentication (AV:N/PR:N), requiring only user interaction (UI:R), and affects confidentiality, integrity, and availability (C:L/I:L/A:L) of the affected systems. The vulnerability impacts all versions up to 3.2.0, with no patch currently available. The scope is considered changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, potentially compromising the entire web application or user sessions. Although no known exploits are reported in the wild yet, the ease of exploitation and the common usage of WordPress with CF7 and WooCommerce make this a significant threat. Attackers could leverage this vulnerability to execute arbitrary JavaScript in the context of users’ browsers, leading to session hijacking, credential theft, defacement, or redirection to malicious sites.
Potential Impact
For European organizations using WordPress sites with the WPCRM plugin for CF7 and WooCommerce, this vulnerability poses a substantial risk. Many European businesses rely on WooCommerce for e-commerce operations and CF7 for customer interactions, making this plugin widely deployed. Successful exploitation could lead to data breaches involving customer information, financial data, and internal communications. The reflected XSS could be used to bypass same-origin policies, enabling attackers to steal session cookies or perform actions on behalf of authenticated users, undermining trust and potentially violating GDPR requirements for data protection. The resulting reputational damage, regulatory fines, and operational disruptions could be severe. Additionally, the vulnerability could be exploited as a foothold for further attacks within corporate networks, especially if administrative users are targeted. Given the cross-border nature of many European businesses, the impact could cascade across multiple jurisdictions.
Mitigation Recommendations
Given the absence of an official patch, European organizations should implement immediate compensating controls. First, apply Web Application Firewall (WAF) rules specifically targeting reflected XSS payloads related to the WPCRM plugin’s parameters. Second, enforce strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Third, conduct thorough input validation and output encoding on all user-supplied data within the application if custom modifications are possible. Fourth, monitor web server logs and user reports for suspicious activity indicative of XSS exploitation attempts. Fifth, consider temporarily disabling or replacing the WPCRM plugin with alternative CRM solutions that do not exhibit this vulnerability until a patch is released. Finally, ensure all WordPress core and other plugins are updated to minimize the attack surface and maintain robust backup and incident response plans tailored to web application compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-01-23T14:53:25.027Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685e88edca1063fb875de478
Added to database: 6/27/2025, 12:05:01 PM
Last enriched: 6/27/2025, 12:59:28 PM
Last updated: 8/1/2025, 4:19:59 AM
Views: 14
Related Threats
CVE-2025-8911: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in WellChoose Organization Portal System
MediumCVE-2025-8910: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in WellChoose Organization Portal System
MediumCVE-2025-8909: CWE-36 Absolute Path Traversal in WellChoose Organization Portal System
MediumCVE-2025-55345: CWE-61 UNIX Symbolic Link (Symlink) Following
HighCVE-2025-6184: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in themeum Tutor LMS Pro
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.