CVE-2025-24563: 
WordPress vulnerability analysis and mitigation

The Cleanup – Directory Listing & Classifieds WordPress Plugin is affected by a Reflected Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.0.4. The vulnerability was discovered and disclosed on January 31, 2025, and has been assigned CVE-2025-24563. The issue stems from insufficient input sanitization and output escaping in the plugin (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 7.1 (HIGH). The issue allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform certain actions, such as clicking on a malicious link (NVD).

If exploited, this vulnerability could allow attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These scripts would execute when visitors access the affected pages, potentially compromising user data or facilitating further attacks (Patchstack).

The vulnerability has been fixed in version 1.0.5 of the plugin. Users are strongly advised to update to this version or later to resolve the security issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).