CVE-2025-24573: 
WordPress vulnerability analysis and mitigation

CVE-2025-24573 is a DOM-Based Cross-Site Scripting (XSS) vulnerability discovered in PageLayer WordPress plugin affecting versions up to and including 1.9.4. The vulnerability was disclosed on January 24, 2025, and impacts the Pagelayer Team PageLayer plugin (NVD, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 6.5 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, required low privileges, and user interaction (NVD).

This vulnerability could allow authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The successful exploitation could lead to the execution of malicious scripts, such as redirects, advertisements, and other HTML payloads on the affected website (WPScan, Patchstack).

The vulnerability has been fixed in PageLayer version 1.9.5. Users are advised to update to version 1.9.5 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).