CVE-2025-24617: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in AcyMailing SMTP Newsletter plugin versions prior to 9.11.1. The vulnerability was discovered by Dimas Maulana and publicly disclosed on December 30, 2024. This security issue affects the AcyMailing Newsletter Team's AcyMailing SMTP Newsletter plugin for WordPress (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 base score of 7.1 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but does need user interaction (UI:R). The scope is changed (S:C) with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) (NVD).

The vulnerability could allow unauthenticated attackers to inject malicious scripts into the website, which would be executed when users visit the affected pages. This could lead to various malicious activities including redirects, unauthorized advertisements, and execution of other HTML payloads (Patchstack).

Users are advised to update to AcyMailing SMTP Newsletter version 9.11.1 or later to resolve the vulnerability. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).