CVE-2025-24629: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in WPGear Import Excel to Gravity Forms plugin affecting versions through 1.18. The vulnerability was discovered by Le Ngoc Anh and publicly disclosed on January 20, 2025. This security issue impacts WordPress installations using the affected plugin versions (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically of the reflected type, which falls under the OWASP Top 10 category A3: Injection. The vulnerability has been assigned a CVSS v3.1 score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited without authentication, making it particularly concerning (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site, potentially compromising the security of both the website and its users (Patchstack).

The vulnerability has been fixed in version 1.18.1 of the plugin. Website administrators are advised to update to version 1.18.1 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking any attacks until the update can be applied (Patchstack).