Request a Demo
Rewterz
SmokeLoader Malware – Active IOCs
February 3, 2025
Rewterz
Multiple Microsoft Products Vulnerabilities
February 3, 2025

Multiple WordPress Plugins Vulnerabilities

Severity

High

Analysis Summary

CVE-2025-24635 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paytm Paytm Payment Donation allows Reflected XSS. This issue affects Paytm Payment Donation: from n/a through 2.3.1.

CVE-2025-24710 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcel Pol Gwolle Guestbook allows Reflected XSS. This issue affects Gwolle Guestbook: from n/a through 4.7.1.

CVE-2025-24718 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SWIT WP Sessions Time Monitoring Full Automatic allows Reflected XSS. This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through 1.1.1.

CVE-2025-24608 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Mail Queue allows Reflected XSS. This issue affects GD Mail Queue: from n/a through 4.3.

CVE-2025-24632 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce allows Reflected XSS. This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through 4.9.0.

CVE-2025-24609 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PortOne PORTONE 우커머스 결제 allows Reflected XSS. This issue affects PORTONE 우커머스 결제: from n/a through 3.2.4.

CVE-2025-23980 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in James Andrews Full Circle allows Stored XSS. This issue affects Full Circle: from n/a through 0.5.7.8.

CVE-2025-23978 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in Ninos Ego FlashCounter allows Stored XSS. This issue affects FlashCounter: from n/a through 1.1.8.

CVE-2025-23977 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in Bhaskar Dhote Post Carousel Slider allows Stored XSS. This issue affects Post Carousel Slider: from n/a through 2.0.1.

CVE-2025-24686 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss User Registration Forms RegistrationMagic allows Reflected XSS. This issue affects RegistrationMagic: from n/a through 6.0.3.3.

Impact

  • Cross-Site Scripting
  • Gain Access

Indicators of Compromise

CVE

  • CVE-2025-24635

  • CVE-2025-24710

  • CVE-2025-24718

  • CVE-2025-24608

  • CVE-2025-24632

  • CVE-2025-24609

  • CVE-2025-23980

  • CVE-2025-23978

  • CVE-2025-23977

  • CVE-2025-24686

Affected Vendors

  • WordPress

Affected Products

  • Paytm Paytm Payment Donation - n/a
  • Marcel Pol Gwolle Guestbook - n/a
  • SWIT WP Sessions Time Monitoring Full Automatic - n/a
  • Milan Petrovic GD Mail Queue - n/a
  • AlgolPlus Advanced Dynamic Pricing for WooCommerce - n/a
  • PortOne PORTONE - n/a
  • James Andrews Full Circle - n/a
  • Ninos Ego FlashCounter - n/a
  • Bhaskar Dhote Post Carousel Slider - n/a
  • Metagauss User Registration Forms RegistrationMagic - n/a

Remediation

Update the WordPress plugin to the latest available version on the WordPress website.

CVE-2025-24635

CVE-2025-24710

CVE-2025-24718

CVE-2025-24608

CVE-2025-24632

CVE-2025-24609

CVE-2025-23980

CVE-2025-23978

CVE-2025-23977

CVE-2025-24686