CVE-2025-24710: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress Gwolle Guestbook plugin, tracked as CVE-2025-24710. The vulnerability affects versions up to and including 4.7.1 of the Gwolle Guestbook plugin, developed by Marcel Pol. The issue was discovered by Peter Thaleikis and was publicly disclosed on January 31, 2025 (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue due to insufficient input sanitization and output escaping in the plugin. It has been assigned a CVSS v3.1 score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when users visit the affected site, potentially compromising the security of website visitors (Patchstack).

Website administrators are advised to update to Gwolle Guestbook version 4.7.2 or later, which contains the fix for this vulnerability. For users of Patchstack, a virtual patch has been issued to mitigate the issue by blocking potential attacks until the update can be applied (Patchstack).