CVE-2025-24681: 
WordPress vulnerability analysis and mitigation

The CVE-2025-24681 is a Cross-site Scripting (XSS) vulnerability discovered in the wpWax Product Carousel Slider & Grid Ultimate for WooCommerce WordPress plugin. The vulnerability affects all versions up to and including 1.10.0, and was disclosed on January 24, 2025. This security issue allows for Stored XSS attacks in WordPress installations where authenticated users with editor-level permissions or above can exploit the vulnerability (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The security issue stems from insufficient input sanitization and output escaping in the plugin's code. This vulnerability particularly affects multi-site installations and installations where unfiltered_html has been disabled (Patchstack).

The vulnerability allows malicious actors with appropriate permissions to inject arbitrary web scripts into pages. When users access these compromised pages, the injected scripts will execute in their browsers. This could potentially lead to various attacks including redirects, unauthorized advertisements, and execution of other malicious HTML payloads on the affected website (Patchstack).

The vulnerability has been patched in version 1.10.1 of the plugin. Website administrators are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).